(Amen!)dments to the Information Technology Act
Debasis Nayak, Director, Asian School of Cyber Laws
discusses the recent amendments to the IT Act 2000 that clarify its provisions
and give it teeth. In the backdrop of e-fraud in banking and BPO, he clearly
lays out the shortcomings that existed in the IT Act and how these have been
addressed in its latest avatar.
With the recent amendments being approved by the Cabinet,
the Information Technology Act 2000 (The Act) is all set to silence critics
with its new Avatar. The Act, much maligned for its supposed inadequacies, has
undergone major surgery. Malignant parts have been removed and life-saving transplants
have been made. Whether, the surgery has been able to able to expunge the inadequacies
still remains to be seen.
Not surprisingly, popular belief links cyber law to punishments
for hacking. The reasons are not hard to find. Hacking seems to conjure images
of dark, shadowy alleyways, populated with Keanu Reevess Neoisque
figures juggling with the world of bits and bytes that magically transform into
six and nine digit figures in the hackers bank account and dodge bullets,
Not many may know that the Act is more about the complex
and highly versatile world of digital signatures than it is about the fascinating
world of hacking. Personally, though, I believe cryptography (on which the concept
of digital signatures is based) will give hacking a run for its money if measured
by the yardsticks of romanticism and intrigue.
This brings us to the first failing of the Act, that of being
technology specific. Critics said, by specifying that only digital signatures
can be used to authenticate electronic records, the Act shut its doors all other
forms of electronic signatures, such as scanned thumbprints, signatures or PINs,
which can also be used for authentication.
Digital signatures are an application of asymmetric key cryptography
and their security is based upon the fact that it is computationally infeasible
to compromise the application with the computing power currently at our disposal.
What if due to some technological innovation, a path breaking invention or a
remarkable discovery, we should be able to overcome this limitation. Digital
signatures can no longer be used as authentication mechanisms and the whole
legal superstructure built around the concept will collapse, necessitating an
overhaul of the Act itself.
What about the money and the effort spent by organisations
to comply with the requirements of the Act? Well, the answer is not too hard
to guess. The first major amendment, then, introduces the concept of electronic
signatures in place of digital signatures. This provides an alternative to a
digital signature system which was the only option available earlier. But the
amendment states that authentication may be done,
.in such other
electronic form as the Central Government may prescribe from time to time.
As of right now, the Central Government has prescribed
rules for the implementation of digital signatures only and not for anything
else. So it is easy to say which form of signature organisations have to adopt
to comply till such time the Central Government prescribes,
other electronic form
.. (Which maybe today, tomorrow, next week,
next month, next year
..you get the idea!!)
Since its coming into force in the year 2000, I have received
this query umpteen number of times from professionals and individuals from different
walks of life, does a law court recognize an agreement entered into through
e-mails? The answer is, yes.
An agreement, the terms of which have been transmitted through
an e-mail or the contents of which are saved in a word file, i.e., in electronic
form, is a valid agreement. A court of law will not refuse to admit an agreement
solely because it is in electronic form. Just that, as in the case of an agreement
made in any other form, it has be proved that such an agreement was indeed entered
into between the parties concerned.
Earlier, this was not expressly stated in the Act and had
to be inferred from a reading of the provisions. A new chapter titled, Electronic
Contracts, Chapter IIIA, now expressly states this, removing any ambiguities
that may have existed in the minds of many.
The next piece of amendment will be of much interest to certifying
authorities and to the subscribers who have obtained digital signature certificates
from licensed certifying authorities. The provision which provided for the Controller
to act as a repository has been omitted. Repositories are now to be maintained
only by certifying authorities. The reasons provided are that maintaining a
repository is the primary responsibility of a certifying authority, not the
Controller and that it is an undue burden on the Controller.
For the uninitiated, a repository in a public key infrastructure
serves as a storehouse of digital signature certificates. The idea is, if a
person wants to verify the authenticity of a public key, he can retrieve the
corresponding digital signature certificate from the repository and do so.
The very fact that the person has been able to retrieve a
valid digital signature certificate from the Controllers repository provides
the element of trust, so important for a digital signature system to exist.
There is simple logic behind this. The Controller is a public servant and the
highest ranking authority under the Act. He has been entrusted with the task
of licensing certifying authorities. Thus, trust in him is highest.
If a subscriber can verify the antecedents of a certifying
authority or of another subscriber from the Controllers repository, the
trust that he would put into such verification would be much higher than from
any other source. Considering the fact that public key infrastructure in India
is still in its infancy, this would have given much needed reassurance to a
subscriber about the genuineness of the system and would have helped popularise
Admitted, as the number of subscribers increase, it would
not be easy for the Controllers office to manage the repository. But isnt
that a small price to pay for so big an idea?
The next series of amendments to the Act is significant as
it deals with privacy. Protection of privacy and personal data had never been
addressed directly by any law in force in India. Protection was finally given
by the Supreme Court in the form of a ruling which referred to privacy as a
right flowing from the constitutionally guaranteed right to life. The picture
regarding privacy and data protection laws will now be somewhat clear because
of these amendments.
The first in the series of amendments involving privacy protection
involves providing compensation of up to ten million rupees by an organisation,
that owns or handles sensitive personal data or information in a
computer resource that it owns or operates. If such an organisation has
been negligent in implementing and maintaining reasonable security practices
and procedures to protect sensitive personal data, it shall be liable
to pay compensation to any person affected by such negligence.
But for this to be workable the government has to move quickly
and formulate rules on two aspects. First, it has to prescribe reasonable
security practices to address cases where such practices are not defined
in a contract. Secondly, it needs to define what constitutes sensitive
personal data. Till then, the law, though made in letter, will be inoperative
next amendment in the series of privacy related amendments deals with disclosure
of information by intermediaries and service providers. Section 72 of the Act
penalised those agencies which in pursuance of the powers conferred
on them by the Act, (e.g., certifying authorities) having access to personal
information disclosed it without authorisation. It had limited scope because
it could only be applied to those cases where an agency disclosed personal information
to which it was privy because of requirements under the Act.
The amendment to the section now does away with this limitation
and penalises any intermediary who discloses subscriber information to which
it is privy by reason of that subscriber availing of the services provided by
the intermediary. A simple example would be all the providers who provide free
services on the Internet. Almost all of them require the subscriber to fill
in forms with personal information before he is allowed to avail of the services
offered. The amendment penalises disclosure of such information without the
consent of the concerned subscriber.
However, there is a catch. The provision states that if an
intermediary discloses this information, without the consent of such subscriber
and with intent to cause injury to him
. the subscriber is entitled
to a compensation of up to twenty five lakh rupees. It is interesting to note
that no intermediary would ever disclose such information with the intent to
cause injury to any subscriber. Rather the disclosure would most likely be caused
by the intent to derive profit with the knowledge that injury might result from
such disclosure. Without going into legal callisthenics, let me just say that
the language in which the provision is couched will make it extremely difficult
for a subscriber to get compensation from the errant intermediary.
other amendment in this series addresses the scourge of mobile phone cameras.
We have come across numerous incidents involving gross violation of privacy
where a mobile phone camera has been surreptitiously used to take photographs
or video clippings of private moments and private parts and then used to circulate
these snaps or clips around using either the telecom network or the Internet.
This can be extremely embarrassing and distressing to the victim.
The amended provision penalises intentional captures or broadcast
of an image of a private area of an individual without his consent. It is also
applicable to cases where an individual is unaware (and therefore unable to
give consent) that he is being photographed or that a video clipping of his
is being shot. The section provides for fine of up to twenty - five lakh rupees
and imprisonment of up to one year for the offenders. For action to be taken
under this section, the person aggrieved must file a written complaint before
a magistrate. An F.I.R before the police is not enough. The section is comprehensive
in its definitions and explanations and will definitely deter miscreants once
a few cases are prosecuted.
The spate of events that may have prompted these provisions
is well known. In mid 2005, a major scam involving the BPO company MSource in
Pune was discovered where a team of Msource employees had siphoned off more
than $425,000 using personal information of Citibank customers. Later that year,
the well-known British tabloid Sun, in a sting operation, was able to obtain
personal information of around 1,000 British citizens from the employee of another
BPO outfit, Infinity E - search at the price of £5.5 per employee. More
recently, in June 2006, another BPO fraud in Bangalore worth £233, 000
through HSBC came to light.
Earlier, MMS clips of a high school girl and a boy showing
intimate acts were being circulated across the country. More clips followed,
this time shot from hidden cameras placed in night clubs, bathrooms, swimming
pools and hotel rooms. In most cases, the victims never had an inkling of the
fact that their activities would be recorded and circulated around the country
where perfectly normal private moments could become so outrageously public.
These incidents were a clarion call to the government to
take action. Organisations handling personal data realised they had to have
the best information security practices implemented in their organisations.
These also highlighted the fact that organisations which compromised on sensitive
personal data by sacrificing security practices for shoring up bottom lines
could get away with it. Reason, there was simply no law in place which acted
as a deterrent to prevent them from doing so.
The amendments will certainly help stem public outcry abroad
against outsourcing to India, especially in services and will help bring back
some confidence to the companies giving outsourcing contracts to Indian firms.
With the European Unions Directives on Data Protection
being very stringent, major companies from the European Union have mostly stayed
away from outsourcing to India where such outsourcing involved handling personal
data, notably in the financial, legal and healthcare sectors. Although, a comprehensive
legislation on privacy and data protection would have been more welcome, this
is by no means a small achievement by our lawmakers.
Discussion now shifts to the more popular subject of cyber
crimes. Obviously, then, the first section that we will discuss has to relate
to hacking. In what is sure to raise the eyebrows of many, the proposed amendment
to the provision which penalised hacking does not define hacking. Instead, the
section has been renamed as a more stolid, computer related offences,
which in hindsight is perhaps right after all. Let me explain.
The earlier section defined hacking so widely that almost
every conceivable computer crime fell within its purview. This, by itself, is
perfectly acceptable till we consider the fact that you and I understand hacking
as unauthorised access. Thus the commonly accepted definition and the legal
definition were altogether different. This caused confusion even in the mind
of the most diligent student to whom the difference had been explained time
and again. To this, add the fact that purists in the field scoff at the idea
of defining hacking as an illegal activity. Instead, they say, we mean cracking
when we say hacking. Hackers, it seems are a benign lot, working only for the
benefit of the wide wired world, which is now increasingly turning wireless!
Now, all this has been put to rest by simply not defining
hacking at all! The provision has been divided into two parts. One part lays
down a punishment of up to a year in jail or fine of up to rupees two lakh or
both. Unauthorised access, unauthorised downloading of data and causing denial
of access, if done for dishonest or fraudulent purposes fall under this category.
The other part penalises introduction of a virus, disruption
of an electronic resource, credit card frauds and time thefts, aiding or assisting
in illegal activity and damaging a computer resource. The penalty for the said
offences is two years imprisonment or rupees five lakh fine or both.
Another topic which has always attracted much debate is pornography.
The provision penalising publishing and transmission of pornography has undergone
substantial change. Intermediaries have been excluded from the scope. This will
bring much needed relief to services based companies like Google and eBay, which
will now not be liable for third party pornographic material being accessed
through their sites.
More importantly, distinction has now been made between adult
and child pornography and penalty has been reduced to two years imprisonment
for adult pornography and three years imprisonment for child pornography. Only
those people have been made liable who are intentionally or knowingly
involved in transmission or publishing of pornographic material.
The inclusion of the phrase intentionally and knowingly
means that innocently forwarded e-mails with adult content will now be outside
the scope of this provision. The offence is punishable with two years
imprisonment (in cases of adult pornography) which automatically makes it non-cognisable
and bailable. So, any person arrested by law enforcement agencies on charges
of transmission or publishing will have to be released on bail.
There is more. Pictures, images and representations in electronic
form which are proved to be justified as being for the public good on the ground
of promotion of science, literature, art or learning are excluded form the purview
of this provision. Material used for religious purposes is also excluded. This
will please advocates of free speech and expression who have always argued that
(adult) pornography be made legal.
Intermediaries will also be relieved by the fact that their
liability extends only to those cases in which their active collusion is proved.
The earlier section, which made them liable for not taking due diligence to
prevent the transmission, has been removed. Considering the fiasco in the Baazee.com
case which led to the arrest of the CEO simply because a posting relating to
sale of a CD containing offensive material was found on Baazee.com, this is
certainly a laudable step by the legislators. Cyber café owners will
also heave a sigh of relief, as they are included within the definition of intermediaries.
The Act was had been criticised by all and sundry for giving
arbitrary powers to the police. Under the Act, the police could enter any public
and search and arrest without a warrant if they suspected commission of an offence
under the Act. This made all offences under the Act cognisable. (Cognisable
offences are those offences for which the police can arrest a suspected offender
without a warrant.) This provision has now been removed, making life easier
for the common man who feared arbitrary police action.
A small but significant change has also been made to the
provision which specified offences relating to companies. Generally, when an
offence committed by a company as a legal person, the person(s) managing the
affairs of the company are made liable. The amended Act now provides that such
a person will not be liable merely because he is in charge. Liability can only
be pinned when it is proved that the person knowingly connived to commit the
offence and failed to prevent the offence. Thus, it is not possible to prosecute
directors or managers unless active connivance is proved by the complainant.
Mere knowledge of the offence is not enough.
An overall feel of the amendments seems to have rectified
most of the drawbacks in the original Act. Despite the Act being in force since
2000 and the increasing use of computers in every sphere, we havent seen
much court action involving the Act.
I find it hard to believe that this can be attributed to
a lack of incidents. Is the Act so comprehensive that it forces litigants to
settle maters amicably or is this due to a lack of awareness about cyber law
or can this be attributed to enforcement woes attributable to rapidly changing
technology and the mode of committing crimes.