(Amen!)dments to the Information Technology Act

Debasis Nayak, Director, Asian School of Cyber Laws discusses the recent amendments to the IT Act 2000 that clarify its provisions and give it teeth. In the backdrop of e-fraud in banking and BPO, he clearly lays out the shortcomings that existed in the IT Act and how these have been addressed in its latest avatar.

Debasis Nayak

With the recent amendments being approved by the Cabinet, the Information Technology Act 2000 (The Act) is all set to silence critics with its new Avatar. The Act, much maligned for its supposed inadequacies, has undergone major surgery. Malignant parts have been removed and life-saving transplants have been made. Whether, the surgery has been able to able to expunge the inadequacies still remains to be seen.

Not surprisingly, popular belief links cyber law to punishments for hacking. The reasons are not hard to find. Hacking seems to conjure images of dark, shadowy alleyways, populated with Keanu Reeves’s ‘Neo’isque figures juggling with the world of bits and bytes that magically transform into six and nine digit figures in the hacker’s bank account and dodge bullets,

Not many may know that the Act is more about the complex and highly versatile world of digital signatures than it is about the fascinating world of hacking. Personally, though, I believe cryptography (on which the concept of digital signatures is based) will give hacking a run for its money if measured by the yardsticks of romanticism and intrigue.”

This brings us to the first failing of the Act, that of being technology specific. Critics said, “by specifying that only digital signatures can be used to authenticate electronic records, the Act shut its doors all other forms of electronic signatures, such as scanned thumbprints, signatures or PINs”, which can also be used for authentication.

Digital signatures are an application of asymmetric key cryptography and their security is based upon the fact that it is computationally infeasible to compromise the application with the computing power currently at our disposal. What if due to some technological innovation, a path breaking invention or a remarkable discovery, we should be able to overcome this limitation. Digital signatures can no longer be used as authentication mechanisms and the whole legal superstructure built around the concept will collapse, necessitating an overhaul of the Act itself.

What about the money and the effort spent by organisations to comply with the requirements of the Act? Well, the answer is not too hard to guess. The first major amendment, then, introduces the concept of electronic signatures in place of digital signatures. This provides an alternative to a digital signature system which was the only option available earlier. But the amendment states that authentication may be done, “….in such other electronic form as the Central Government may prescribe from time to time.”

As of right now, the Central Government has “prescribed” rules for the implementation of digital signatures only and not for anything else. So it is easy to say which form of signature organisations have to adopt to comply till such time the Central Government prescribes, “…such other electronic form…..” (Which maybe today, tomorrow, next week, next month, next year…..you get the idea!!)

Since its coming into force in the year 2000, I have received this query umpteen number of times from professionals and individuals from different walks of life, “does a law court recognize an agreement entered into through e-mails?” The answer is, yes.

An agreement, the terms of which have been transmitted through an e-mail or the contents of which are saved in a word file, i.e., in electronic form, is a valid agreement. A court of law will not refuse to admit an agreement solely because it is in electronic form. Just that, as in the case of an agreement made in any other form, it has be proved that such an agreement was indeed entered into between the parties concerned.

Earlier, this was not expressly stated in the Act and had to be inferred from a reading of the provisions. A new chapter titled, “Electronic Contracts”, Chapter IIIA, now expressly states this, removing any ambiguities that may have existed in the minds of many.

The next piece of amendment will be of much interest to certifying authorities and to the subscribers who have obtained digital signature certificates from licensed certifying authorities. The provision which provided for the Controller to act as a repository has been omitted. Repositories are now to be maintained only by certifying authorities. The reasons provided are that maintaining a repository is the primary responsibility of a certifying authority, not the Controller and that it is an undue burden on the Controller.

For the uninitiated, a repository in a public key infrastructure serves as a storehouse of digital signature certificates. The idea is, if a person wants to verify the authenticity of a public key, he can retrieve the corresponding digital signature certificate from the repository and do so.

The very fact that the person has been able to retrieve a valid digital signature certificate from the Controller’s repository provides the element of trust, so important for a digital signature system to exist. There is simple logic behind this. The Controller is a public servant and the highest ranking authority under the Act. He has been entrusted with the task of licensing certifying authorities. Thus, trust in him is highest.

If a subscriber can verify the antecedents of a certifying authority or of another subscriber from the Controller’s repository, the trust that he would put into such verification would be much higher than from any other source. Considering the fact that public key infrastructure in India is still in its infancy, this would have given much needed reassurance to a subscriber about the genuineness of the system and would have helped popularise it.

Admitted, as the number of subscribers increase, it would not be easy for the Controller’s office to manage the repository. But isn’t that a small price to pay for so big an idea?

The next series of amendments to the Act is significant as it deals with privacy. Protection of privacy and personal data had never been addressed directly by any law in force in India. Protection was finally given by the Supreme Court in the form of a ruling which referred to privacy as a right flowing from the constitutionally guaranteed right to life. The picture regarding privacy and data protection laws will now be somewhat clear because of these amendments.

The first in the series of amendments involving privacy protection involves providing compensation of up to ten million rupees by an organisation, “…that owns or handles sensitive personal data or information in a computer resource that it owns or operates.” If such an organisation has been negligent in implementing and maintaining “reasonable security practices” and procedures to protect “sensitive personal data”, it shall be liable to pay compensation to any person affected by such negligence.

But for this to be workable the government has to move quickly and formulate rules on two aspects. First, it has to prescribe “reasonable security practices” to address cases where such practices are not defined in a contract. Secondly, it needs to define what constitutes “sensitive personal data.” Till then, the law, though made in letter, will be inoperative in spirit.

The next amendment in the series of privacy related amendments deals with disclosure of information by intermediaries and service providers. Section 72 of the Act penalised those agencies which “in pursuance” of the powers conferred on them by the Act, (e.g., certifying authorities) having access to personal information disclosed it without authorisation. It had limited scope because it could only be applied to those cases where an agency disclosed personal information to which it was privy because of requirements under the Act.

The amendment to the section now does away with this limitation and penalises any intermediary who discloses subscriber information to which it is privy by reason of that subscriber availing of the services provided by the intermediary. A simple example would be all the providers who provide free services on the Internet. Almost all of them require the subscriber to fill in forms with personal information before he is allowed to avail of the services offered. The amendment penalises disclosure of such information without the consent of the concerned subscriber.

However, there is a catch. The provision states that if an intermediary discloses this information, “without the consent of such subscriber and with intent to cause injury to him….” the subscriber is entitled to a compensation of up to twenty five lakh rupees. It is interesting to note that no intermediary would ever disclose such information with the intent to cause injury to any subscriber. Rather the disclosure would most likely be caused by the intent to derive profit with the knowledge that injury might result from such disclosure. Without going into legal callisthenics, let me just say that the language in which the provision is couched will make it extremely difficult for a subscriber to get compensation from the errant intermediary.

The other amendment in this series addresses the scourge of mobile phone cameras. We have come across numerous incidents involving gross violation of privacy where a mobile phone camera has been surreptitiously used to take photographs or video clippings of private moments and private parts and then used to circulate these snaps or clips around using either the telecom network or the Internet. This can be extremely embarrassing and distressing to the victim.

The amended provision penalises intentional captures or broadcast of an image of a private area of an individual without his consent. It is also applicable to cases where an individual is unaware (and therefore unable to give consent) that he is being photographed or that a video clipping of his is being shot. The section provides for fine of up to twenty - five lakh rupees and imprisonment of up to one year for the offenders. For action to be taken under this section, the person aggrieved must file a written complaint before a magistrate. An F.I.R before the police is not enough. The section is comprehensive in its definitions and explanations and will definitely deter miscreants once a few cases are prosecuted.

The spate of events that may have prompted these provisions is well known. In mid 2005, a major scam involving the BPO company MSource in Pune was discovered where a team of Msource employees had siphoned off more than $425,000 using personal information of Citibank customers. Later that year, the well-known British tabloid Sun, in a sting operation, was able to obtain personal information of around 1,000 British citizens from the employee of another BPO outfit, Infinity E - search at the price of £5.5 per employee. More recently, in June 2006, another BPO fraud in Bangalore worth £233, 000 through HSBC came to light.

Earlier, MMS clips of a high school girl and a boy showing intimate acts were being circulated across the country. More clips followed, this time shot from hidden cameras placed in night clubs, bathrooms, swimming pools and hotel rooms. In most cases, the victims never had an inkling of the fact that their activities would be recorded and circulated around the country where perfectly normal private moments could become so outrageously public.

These incidents were a clarion call to the government to take action. Organisations handling personal data realised they had to have the best information security practices implemented in their organisations. These also highlighted the fact that organisations which compromised on sensitive personal data by sacrificing security practices for shoring up bottom lines could get away with it. Reason, there was simply no law in place which acted as a deterrent to prevent them from doing so.

The amendments will certainly help stem public outcry abroad against outsourcing to India, especially in services and will help bring back some confidence to the companies giving outsourcing contracts to Indian firms.

With the European Union’s Directives on Data Protection being very stringent, major companies from the European Union have mostly stayed away from outsourcing to India where such outsourcing involved handling personal data, notably in the financial, legal and healthcare sectors. Although, a comprehensive legislation on privacy and data protection would have been more welcome, this is by no means a small achievement by our lawmakers.

Discussion now shifts to the more popular subject of cyber crimes. Obviously, then, the first section that we will discuss has to relate to hacking. In what is sure to raise the eyebrows of many, the proposed amendment to the provision which penalised hacking does not define hacking. Instead, the section has been renamed as a more stolid, “computer related offences”, which in hindsight is perhaps right after all. Let me explain.

The earlier section defined hacking so widely that almost every conceivable computer crime fell within its purview. This, by itself, is perfectly acceptable till we consider the fact that you and I understand hacking as unauthorised access. Thus the commonly accepted definition and the legal definition were altogether different. This caused confusion even in the mind of the most diligent student to whom the difference had been explained time and again. To this, add the fact that purists in the field scoff at the idea of defining hacking as an illegal activity. Instead, they say, we mean cracking when we say hacking. Hackers, it seems are a benign lot, working only for the benefit of the wide wired world, which is now increasingly turning wireless!

Now, all this has been put to rest by simply not defining hacking at all! The provision has been divided into two parts. One part lays down a punishment of up to a year in jail or fine of up to rupees two lakh or both. Unauthorised access, unauthorised downloading of data and causing denial of access, if done for dishonest or fraudulent purposes fall under this category.

The other part penalises introduction of a virus, disruption of an electronic resource, credit card frauds and time thefts, aiding or assisting in illegal activity and damaging a computer resource. The penalty for the said offences is two years’ imprisonment or rupees five lakh fine or both.

Another topic which has always attracted much debate is pornography. The provision penalising publishing and transmission of pornography has undergone substantial change. Intermediaries have been excluded from the scope. This will bring much needed relief to services based companies like Google and eBay, which will now not be liable for third party pornographic material being accessed through their sites.

More importantly, distinction has now been made between adult and child pornography and penalty has been reduced to two years imprisonment for adult pornography and three years imprisonment for child pornography. Only those people have been made liable who are “intentionally or knowingly” involved in transmission or publishing of pornographic material.

The inclusion of the phrase “intentionally and knowingly” means that innocently forwarded e-mails with adult content will now be outside the scope of this provision. The offence is punishable with two years’ imprisonment (in cases of adult pornography) which automatically makes it non-cognisable and bailable. So, any person arrested by law enforcement agencies on charges of transmission or publishing will have to be released on bail.

There is more. Pictures, images and representations in electronic form which are proved to be justified as being for the public good on the ground of promotion of science, literature, art or learning are excluded form the purview of this provision. Material used for religious purposes is also excluded. This will please advocates of free speech and expression who have always argued that (adult) pornography be made legal.

Intermediaries will also be relieved by the fact that their liability extends only to those cases in which their active collusion is proved. The earlier section, which made them liable for not taking due diligence to prevent the transmission, has been removed. Considering the fiasco in the Baazee.com case which led to the arrest of the CEO simply because a posting relating to sale of a CD containing offensive material was found on Baazee.com, this is certainly a laudable step by the legislators. Cyber café owners will also heave a sigh of relief, as they are included within the definition of intermediaries.

The Act was had been criticised by all and sundry for giving arbitrary powers to the police. Under the Act, the police could enter any public and search and arrest without a warrant if they suspected commission of an offence under the Act. This made all offences under the Act cognisable. (Cognisable offences are those offences for which the police can arrest a suspected offender without a warrant.) This provision has now been removed, making life easier for the common man who feared arbitrary police action.

A small but significant change has also been made to the provision which specified offences relating to companies. Generally, when an offence committed by a company as a legal person, the person(s) managing the affairs of the company are made liable. The amended Act now provides that such a person will not be liable merely because he is in charge. Liability can only be pinned when it is proved that the person knowingly connived to commit the offence and failed to prevent the offence. Thus, it is not possible to prosecute directors or managers unless active connivance is proved by the complainant. Mere knowledge of the offence is not enough.

An overall feel of the amendments seems to have rectified most of the drawbacks in the original Act. Despite the Act being in force since 2000 and the increasing use of computers in every sphere, we haven’t seen much court action involving the Act.

I find it hard to believe that this can be attributed to a lack of incidents. Is the Act so comprehensive that it forces litigants to settle maters amicably or is this due to a lack of awareness about cyber law or can this be attributed to enforcement woes attributable to rapidly changing technology and the mode of committing crimes.