Documente Academic
Documente Profesional
Documente Cultură
By
Vijay Mukhi
and
Karan Gokani
Stirred by the recent data theft cases that have hit the international headlines,
and fearing the devastating repercussion these may have on the BPO Industry in
India, an Expert Committee appointed by the Central Government has proposed
several amendments to the Information Technology Act 2000 (IT Act). However
the Amended IT Act that awaits parliamentary approval is merely a piecemeal
attempt to amend the original one. What may have well been a more profitable
venture, considering the failure of the previous Act, would have been a rewrite of
the entire Act while simultaneously revamping the system of law enforcement
that applies to IT related offences in India.
In a country like India, where the Business Processes Off-shoring (BPO) Industry
is growing so rapidly, it is crucial that there is a strong and reliable system of
enforceable legislation to reinforce customer confidence. The most realistic way
of establishing such a system, keeping in mind the distinctive features of our
legal system would be by updating previous well established laws to apply to the
existing circumstances, in conjunction with legislating new laws, guidelines and
rules on matters that the prevailing laws would not be able to relate to. Thus,
ideally, the IT Act should be an umbrella act, under which various other auxiliary
legislations should coexist. The recently amended IT Act tries to achieve this by
vesting power in the Central Government to frame rules and guidelines on
various issues so as to make the new Act resistant to technological changes. But
unfortunately as a result of this approach certain key areas tend to be rather
vague and undefined.
Observations on the Proposed Amendments to the IT Act, 2000 aims at
analysing the proposed IT Act while debating the relevance of certain provisions,
and suggesting possible alterations and additions. The paper will discuss the
feasibility of the IT Act, as a single, all encompassing statute in the present-day
IT scenario in India. Moreover the paper makes recommendations on several
issues such as mobile phone cloning, the standard of due diligence for Cyber
Caf, ISPs and Corporations, and other vital issues that have been overlooked
by the new Act.
The IT Act was expected to ensure the end of Cyber Crime in India. Such
a high expectation itself spelt the doom of this legislation. It must be
understood that no single Act (no matter how well legislated) can
satisfactorily address all the issues pertaining to Information Technology
and Cyberspace. Thats precisely where the Act and its critics went wrong.
The attention, instead of being solely on legislating the IT Act, should have
simultaneously been on establishing a system to enforce its provisions.
Therefore the inclusion of such a section in the Act is rather absurd, and can
have severe ramifications.
Section 19: Recognition of Foreign Certifying Authorities
This section provides that the Controller of Certifying Authorities can, with the
previous approval of the Central Government, and in accordance with the
conditions and restrictions that may be prescribed by regulations, recognise any
foreign Certifying Authority as a Certifying Authority for the purpose of this Act.
It is therefore essential for the Controller to implement the provisions of this
section expeditiously, in order to facilitate E-Commerce with foreign clients.
Section 20: Controller to act as a Repository (deleted)
This section has been deleted. Thereby under the proposed Act, the Controller is
no more the repository of all Electronic Signatures. This function has been
handed over to the Certifying Authority, as it is believed that this section placed
an unnecessary legal obligation on the Controller in case of a disputes between
Certifying Authority and Subscriber, and additionally the practice of making the
Controller the repository of Electronic Signatures is not being followed anywhere
else in the world.
While the effect of this amendment cannot be predicted at present, it may prove
to be a difficult task in the future to keep a consolidated record of all the public
keys issued by the various Certifying Authorities.
Section 43: Compensation for Damage to Computer, Computer System, etc.
This section may be said to impose a strict liability as no intent or knowledge is
required by the actor. Hence even when the victim suffers no damage or harm,
the person committing any of the acts enumerated under this section can be held
liable. Likewise, even an innocent may be directed to pay damages for a
mistaken act of his. Therefore to avoid such an unfair situation, the section must
be amended to include damage or injury to a computer resource, as a condition
for damages.
The provisions listed under this section are analysed below:
At the outset, it must be noted that Explanation (vii) to the section clearly
states that without the permission of the owner shall include access to
information that exceeds the level of authorized permission to access.
Subsection (1) Clauses (d), (e), (f) are very similar and can be made to
apply to acts such as Denial of Service Attacks, installation of software
applications that use up system resources, or even changing of a file
name or file location in memory.
Subsection (1) Clause (h) deals with password theft and subsequent
misuse, credit card frauds, identity theft cases, etc.
This section imposes a strict liability on any person who publishes or transmits or
causes to be published in the electronic form any pornographic material, as it
makes no mention of his having had the intention or knowledge of doing so. Such
a provision can prove to be rather severe, as a person may be held liable for
publishing pornographic data, without his knowledge. Taking for instance, a
computer virus which affects a persons email client, and sends out pornographic
pictures to all the addresses in the address book, or an innocent hyperlink which
directs a person to a webpage, which in turn causes various pornographic web
pages to pop-up.
The implications of this section can be stretched further to include an offensive
joke sent to a person through an SMS or email, for which he could be held liable
under this section!
On the other hand it is difficult to understand why the maximum term of
imprisonment for publishing pornography has been reduced from five years to
two years on first conviction, and from ten years to five years in the case of a
subsequent conviction.
However the second subsection that provides a stricter penalty for publishing
child pornography, is a welcome addition and tackles a social issue of great
relevance in recent times though the words intentionally and knowingly should
be rephrased to read intentionally or knowingly.
It is also interesting to note that under this section, a person cannot be held liable
for viewing pornographic material. Even the rather far fetched contention that by
viewing a webpage, a cache of the page is created on the computer memory, is
not applicable anymore, as it is a well established legal custom all over the world
today, that a cache in memory is not constituted as downloading or transmitting
of data.
Section 68A: Encryption and Other Technologies for Security of Data
This section is a welcome change, and will help E-Commerce, if the Central
Government fulfils its duty of prescribing modes or methods for encryption from
time to time.
Section 69: Power to Issue Directions for Interception or Monitoring or
Decrypting of any Information through any Computer Resource
The amended section provides that only the Central Government may issue
directions to intercept communications, as compared to the original section under
which even the Controller of Certifying Authorities was empowered to do so.
Such a change has probably been made with a view to prevent the misuse of this
power. But a better approach would have been to continue this power, while
simultaneously prescribing harsh penalties for its abuse.
10
11
12
13
14
does not require the person to have any specific intention, even an obscene joke
sent to the wrong mobile number can land a person in jail!
Port Scanning
A port scan in simple words is an attempt, by means of a network connection, to
find out what programs and software applications are being run on a computer.
Though this act is only a means of preparing to hack into a computer, it may be
punished under Section 43(1)(a) which disallows a person to access a computer
resource without the permission of the owner or person responsible for it; or
similarly under Section 66(a)(i) if done dishonestly or fraudulently.
Penetration Tests
A penetration test is similar to a port scan, and is carried out to identify
vulnerabilities on a computer. Hence a person conducting a penetration test
without the permission of the owner may be held liable under Section 43(1)(a)
which disallows a person to access a computer resource without the permission
of the owner or person responsible for it; or similarly under Section 66(a)(i) if he
does so dishonestly or fraudulently.
Password Theft
A computer password is usually encrypted and stored on the computer.
Therefore the act of changing a password would make a person liable under
Section 43 or Section 66 of the Act. However it is interesting to note that if a
person sends an email message using another persons email account, from his
own computer, he is not liable for any offence under the Act, as it fails to address
this and other similar issues.
Misuse of Internet Account or Other Paid Service Account
If any person misuses the internet account or other such account, for which
service another person is charged, he can be held liable under Section 43(1)(h)
or even Section 66(b)(iii) (if he does so dishonestly or fraudulently) of the Act.
Phishing
Phishing is the act of stealing the online identity of another person. The act of
Phishing alone is not punishable under the Act, only a subsequent damage, loss
or fraud that is caused as a result of it may make the perpetrator liable under the
Act or other penal provisions.
This issue should have been clearly addressed by the IT Act, especially since the
incidence of gaming frauds, Nigerian frauds and other such crimes have
increased manifold in recent times. Though one may argue that Phishing is an
15
attempt to defraud someone, and therefore can be punished under the IPC, the
unique nature of these crimes, the ease with which they can be carried out and
the far-reaching consequence they could realize, calls for a specialised
legislation (such as the IT Act) to deal with them.
Recording of Private Conversations
It is interesting to note that Section 72(3) restricts itself to the capturing or
broadcast of an image of a private area of an individual without his consent.
Therefore the act of recording a private conversation of an individual without his
consent has not been made an offence under the Act.
While dealing with the issue of privacy of an individual, the Act should have
included capturing of voice conversations and all private acts without the consent
of the individual, rather than restricting itself to only visual images and that too of
only the private parts of the individual.
Morphing of Images
This issue has been overlooked by the Act.
Disclosure of Personal Data
Section 43(2) makes a company, firm or other association responsible for the
safeguarding of any sensitive personal data that it handles. Therefore in the
absence of a strong security if an employee discloses such data to any person
who does not have a right to such data, the company, firm or other association
may be held liable under this section.
Mobile Phone Cloning and IMEI Number Reprogramming
Though the Act does not specifically deal with these offences, a person can be
held liable for cloning a mobile phone SIM Card or reprogramming the IMEI
number without the permission of the owner or person responsible for the mobile
phone under Section 43(1)(a) or even Section 66(a)(i) if he does so dishonestly
or fraudulently. These sections may be applied, owing to the fact that a mobile
phone falls well within the definition of a Computer resource.
Who is the Owner of a Computer Resource?
Where multiple users use a computer at home, it is difficult to ascertain who the
owner of the computer would be for the purposes of Section 43 and Section 66.
Hence for instance, if a man plants a key-logging device on a computer shared
by him and his wife, to monitor his wifes activities, would he be committing an
offence under the Act?
16
17
18
19
20
21
CONCLUSION
It is interesting to observe that only a few decades ago, it was the norm for
countries to have relaxed IT laws, to encourage growth of technology and the
internet. Today, however, this attitude has reversed its path and legislators the
world over are working vigorously to regulate cyberspace, and the use of
technology.
India on the other hand seems to be following the earlier practice of encouraging
technology through lawlessness. In fact the recent amendments to the IT Act
clearly show that the Government is more concerned with relaxing penal
provisions rather than consolidating the laws in our country to dispel the fears of
MNCs and foreign investors.
The prevailing IT laws need to clearly address issues such as mobile phone
cloning, number portability, password theft, spam emails and SMS messages,
convergence of mobile phones and credit cards, standards of due diligence for
intermediaries, investigation of cyber crimes and examination of electronic
evidence, technical training of Cyber Crime Investigators, lawyers and the
judiciary, etc.
A strong system of IT law in India can only be realised as a result of the
combined effort of experts in the fields of Technology, Law Enforcement,
Legislation and the Judiciary. This is essential as a technology expert can
foresee technological changes in the future, while a legal expert can foresee
complications in the courtroom and enforcement official the technical difficulties
of implementation. Keeping these views in mind, the problems that currently ail
the system as well as those that may arise in the future must be given careful
consideration, and a system that can adapt to subsequent changes in technology
must be instituted.
Finally the government must act soon to establish this system, failing which
lawlessness on the net will turn people away from it, rather than popularising its
use (as the Internet still remains a novel concept for most people in India). Also a
weak legal framework will attract International Cyber Criminals, and it will not be
long before our shores become a haven for Cyber Criminals, instead of foreign
investors.
22
APPENDIX A
The new dictum the world over is, Think twice before confiscating a
computer. This is simply because, a single server may run more then one
website, similarly the functioning of an entire corporation may be
dependant on a server. Confiscating a server for investigation in such a
situation would be impractical and unfeasible. Hence unless absolutely
necessary, physical machines should not be confiscated.
23
Once the computer has been shut down, a prescribed forensic tool such
as EnCase should be used to make an image of the hard drive. We
recommend that the copy of the hard disk be made on a write-once media
that cannot be tampered with or altered in the future.
Once the hard disk is seized by the investigator and sealed before the
witnesses, the seal must be opened for the purpose of making a copy
only before a magistrate or investigating witnesses, so that it cannot later
be contended that the evidence had been tampered with.
24
Another problem that ails the Indian Cyber Law Enforcement System
today is the lack of standardisation of procedures and tools. It is
extremely important for the government to prescribe certain forensic tools
for examining the computer and making a copy of the hard disk. Once
such software have been prescribed, a selected group of police officers
must be given specialised training to operate this software, and they must
be employed on a full time basis only for the purpose of running the
forensic tests involving the tools they specialise in.
The government must enter into multi lateral agreements on Cyber Crime
issues with foreign countries, and forge agreements with them to extradite
criminals on a case-by-case basis.
25