By K. K. Mookhey, NII Consulting
The Information Technology Act 2000 is India’s only act dealing with computer crime. For companies doing business in India, it is worthwhile to know the legal framework which provides for the protection of information. This article describes the important sections of the IT Act. It also looks at some of the more high-profile cases where the Act has been applied. Not always has the Law been an ally of the good, and there have been cases of its more Draconian sections being misused to settle scores. The Act can be downloaded here
The IT Act 2000 is based on the Model Law on Electronic Commerce adopted by the United Nations Commission on International Trade Law General Assembly of the United Nations. In this respect, the IT Act takes many of its sections on sending/receiving of electronic messages directly from the Model Law, but focuses a little too much on Digital Signatures, Digital Certificates, and Certifying Authorities, which we shall ignore for the purposes of the current discussion. One of the most high-profile cases where the IT Act came into picture was with the arrest of Avnish Bajaj, CEO of Baazee.com (the Indian arm of Ebay). A student of one of India’s premier engineering colleges – IIT – put up for auction a pornographic clip of two high-school students. When the police was informed of this, they arrested not just the IIT student, but also Bajaj under section 67 of the IT Act – “Publishing of information, which is obscene in electronic form”. This raised a furore in various circles where the opinion was that it was completely unjustified to arrest Bajaj, since he had not actually published the clip on his website. Another controversial case involved the arrest of the owners of the cyber café from where some youth had emailed Members of Parliament about a bomb threat, which later turned out to be a hoax. Given this rocky start, it is an interesting exercise to analyze the various sections of the Act and their business and technology implications.
Incidentally, there have been a number of discussions on revisions to the IT Act, but these have not been scheduled for inclusion yet. Some of the welcome changes include stringent punishment for child pornography, increased emphasis on data privacy and security of personal data, specific punishment for violation of confidentiality of data, as well as a new section granting validity to electronic contracts.
The IT Act has 12 chapters, and 4 schedules. The chapters are divided as follows:
|1.||Preliminary||Definitions of terms used in the rest of the document|
|2.||Digital Signature||Very brief authorization for use of digital signatures for electronic records|
|3.||Electronic Governance||Provides for the legal recognition of electronic records – especially by Govt. agencies|
|4.||Attribution, Acknowledgement, and Despatch of Electronic Records||Discusses when an electronic message shall be considered to be “sent” and when it will be considered to be “received”|
|5.||Secure Electronic Records and Secure Digital Signatures||Discusses (a bit vaguely) what is considered as “secure” electronic records and digital signatures|
|6.||Regulation of Certifying Authorities||Discusses who can be appointed as a CA, and what their responsibilities and authorities are|
|7.||Digital Signature Certificates||Who can issue Digital Certificates, and what they should contain and rules for revocation|
|8.||Duties of Subscribers||Generation or acceptance of the key pair, and reasonable care for securely using it|
|9.||Penalties and Adjudication||Penalties for damage to computer systems – INR 1 crore Failure to furnish information – INR 1,50,000 Failure to maintain records – INR 10,000 per day Residuary penalty – INR 25,000|
|10.||Cyber Regulations Appellate Tribunal||Establishment, composition and powers of a Cyber Appellate Tribunal to adjudicate in matters related to this Act.|
|11.||Offences||Tampering with computer source documents – 3 years imprisonment, or fine of INR 200,000 or both Hacking with computer system – as above Publishing of obscene information – as above|
|12.||Network Service Providers not to be Liable in Certain Cases||If offence committed without his knowledge or due diligence was exercised.|
|13.||Miscellaneous||Power of police officer Offences by companies Power of Central and State Governments|
These are followed by four Schedules, which are essentially modifications to relevant sections of other Acts. These are as follows:
The First Schedule – Amendments to the Indian Penal Code “Primarily related to changes of the word “document” to “document and electronic record” The Second Schedule – Amendment to the Indian Evidence Act “Admissibility of electronic evidence “Most relevant to current discussions The Third Schedule – Amendment to the Banker’s Book Evidence Act “Definition of “banker’s books” expanded to include electronic records “Legitimacy of print outs The Fourth Schedule – Amendment to the RBI Act “Regulation of fund transfer through electronic means
The first point to note is the definitions for terms that are used within the various sections:
“access” with its grammatical variations and cognate expressions means gaining entry into, instructing or communicating with the logical, arithmetical, or memory function resources of a computer, computer system or computer network;
“computer” means any electronic magnetic, optical or other high-speed data processing device or system which performs logical, arithmetic, and memory functions by manipulations of electronic, magnetic or optical impulses, and includes all input, output, processing, storage, computer software, or communication facilities which are connected or related to the computer in a computer system or computer network;
Sections of note:
43: Penalty for damage to computer
Sets the penalty for damage to a computer or network at INR 10 million for any damage or unauthorized access to a computer system. This definition is pretty wide ranging, and port scanning also seems to be covered, especially if you cross-reference with the definition of “access”.
46: Power to adjudicate
For the purpose of adjudging under this Chapter whether any person has committed a contravention of any of the provisions of this Act or of any rule, regulation, direction or order made thereunder the Central Government shall, subject to the provisions of sub-section (3), appoint any officer not below the rank of a Director to the Government of India or an equivalent officer of a State Government to be an adjudicating officer for holding an inquiry in the manner prescribed by the Central Government..
66: Hacking with computer system
(1) Whoever with the intent to cause or knowing that he is likely to cause wrongful loss or damage to the public or any person destroys or deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means, commits hack: (2) Whoever commits hacking shall be punished with imprisonment up to three years, or with fine which may extend upto INR 200,000, or with both.
67: Publishing of information which is obscene
Whoever publishes or transmits or causes to be published in the electronic form, any material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to deprave and corrupt persons…
72: Penalty for breach of confidentiality and privacy
Save as otherwise provided in this Act or any other law for the time being in force, any person who, in pursuance of any of the powers conferred under this Act, rules or regulations made thereunder, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses such electronic record, book, register, correspondence, information, document or other material to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both.
Any computer, computer system, floppies, compact disks, tape drives or any other accessories related thereto, in respect of which any provision of this Act. rules, orders or regulations made thereunder has been or is being contravened, shall be liable to confiscation…
78: Power to investigate offences
Notwithstanding anything contained in the Code of Criminal Procedure, 1973, a police officer not below the rank of Deputy Superintendent of Police shall investigate any offence under this Act.
79: Network service providers not to be liable in certain cases
For the removal of doubts, it is hereby declared that no person providing any service as a network service provider shall be liable under this Act, rules or regulations made thereunder for any third party information or data made available by him if he proves that the offence or contravention was committed without his knowledge or that he had exercised all due diligence to prevent the commission of such offence or contravention.
85: Offences by companies
(1) Where a person committing a contravention of any of the provisions of this Act or of any rule, direction or order made thereunder is a company, every person who, at the time the contravention was committed, was in charge of, and was responsible to, the company for the conduct of business of the company as well as the company, shall be guilty of the contravention and shall be liable to be proceeded against and punished accordingly: Provided that nothing contained in this sub-section shall render any such person liable to punishment if he proves that the contravention took place without his knowledge or that he exercised all due diligence to prevent such contravention.
Amendments to Indian Evidence Act “Admissibility of electronic records”
- Does not mandate the forensics procedure to be adopted for the evidence to be admissible in court.
- Is too Draconian in some respects, especially sections related to Offences by companies, Confiscation, Hacking, and Publishing of Obscene information
- Setting up of the Cyber Appellate Tribunal or posting of the adjudicating officer as mandated in section 46 and 57
- Too much of a focus on digital signatures, digital certificates and certifying authorities – very few sections deal with actual cyber crimes
- Data privacy is not addressed in either the Indian IT Act or anywhere else.
- Does not address practical issues of actually implementing the measures it lists out
- Although, cyber security cells have been set up in the major cities around the country, they’re often under-staffed and under-equipped