Observations on the

Proposed Amendments to the

IT Act, 2000

By

Vijay Mukhi

and

Karan Gokani

THE ALL INDIA ASSOCIATION OF INDUSTRIES

AIAI

Observations on the Proposed Amendments to the

IT Act, 2000

Stirred by the recent data theft cases that have hit the international headlines,
and fearing the devastating repercussion these may have on the BPO Industry in
India, an Expert Committee appointed by the Central Government has proposed
several amendments to the Information Technology Act 2000 (IT Act). However
the Amended IT Act that awaits parliamentary approval is merely a piecemeal
attempt to amend the original one. What may have well been a more profitable
venture, considering the failure of the previous Act, would have been a rewrite of
the entire Act while simultaneously revamping the system of law enforcement
that applies to IT related offences in India.
In a country like India, where the Business Processes Off-shoring (BPO) Industry
is growing so rapidly, it is crucial that there is a strong and reliable system of
enforceable legislation to reinforce customer confidence. The most realistic way
of establishing such a system, keeping in mind the distinctive features of our
legal system would be by updating previous well established laws to apply to the
existing circumstances, in conjunction with legislating new laws, guidelines and
rules on matters that the prevailing laws would not be able to relate to. Thus,
ideally, the IT Act should be an umbrella act, under which various other auxiliary
legislations should coexist. The recently amended IT Act tries to achieve this by
vesting power in the Central Government to frame rules and guidelines on
various issues so as to make the new Act resistant to technological changes. But
unfortunately as a result of this approach certain key areas tend to be rather
vague and undefined.
Observations on the Proposed Amendments to the IT Act, 2000 aims at
analysing the proposed IT Act while debating the relevance of certain provisions,
and suggesting possible alterations and additions. The paper will discuss the
feasibility of the IT Act, as a single, all encompassing statute in the present-day
IT scenario in India. Moreover the paper makes recommendations on several
issues such as mobile phone cloning, the standard of due diligence for Cyber
Caf, ISPs and Corporations, and other vital issues that have been overlooked
by the new Act.

THE PREVAILING ACT: WHERE THINGS WENT WRONG

Rather than focussing on the fine-tuning of the IT Act, we need to focus on the
conviction of Cyber Criminals. For this we need to establish a system where the
courts, the law enforcement machinery, and the citizens are equal stakeholders.
Recently there has been a flurry of articles and comments criticising the IT Act
and the Cyber Law enforcement machinery in India. However what would strike
one as rather shocking is that the lack of awareness, lack of technological
knowledge and lack of judicial officers is not the primary reason for the failure of
the IT Laws in India, but the lack of attention given to the collection of electronic
evidence that has lead to this.
The IT Act, is probably the only Act which has survived five years since its
legislation, with less than five criminal convictions accredited to it.
A Failed Legislation ?
To ensure convictions of criminals, we need to establish a system of Cyber
Regulation and Justice. One would think that this could easily be realized by
simply adapting the provisions of the existing IT Laws of foreign countries to suit
the Indian circumstances. While such an approach will ensure an excellent legal
framework, in practice, the grass root difficulties that are unique to the Indian
scenario will continue to obstruct the administration of justice. Problems such as
that of collection of electronic evidence, maintenance of authentic logs and
technological difficulties will frustrate a case every time it reaches the courts.
In fact it is these and other such issues that the IT Act fails to address, which
have eventually lead to its failure.
What We Believe to be the Primary Causes of the Failure of the IT Act 2000

The IT Act was expected to ensure the end of Cyber Crime in India. Such
a high expectation itself spelt the doom of this legislation. It must be
understood that no single Act (no matter how well legislated) can
satisfactorily address all the issues pertaining to Information Technology
and Cyberspace. Thats precisely where the Act and its critics went wrong.
The attention, instead of being solely on legislating the IT Act, should have
simultaneously been on establishing a system to enforce its provisions.

It is a well-known fact that the legislation of the IT Act was an effort to

strengthen International Trade Relations. In fact it was to be called the
ECommerce Act and the ambit of this Act was to span issues solely
related to ECommerce. However what was ultimately enacted was a law
governing the entire IT Sector. This probably is one of the reasons for the

IT Acts undue focus on ECommerce, and its haphazard approach to

address conventional cyber crime issues.

The IT Act errs in so far as it tends to be technologically specific while

dealing with certain terms and issues. A better approach would have been
to allow the courts to define and update these terms in keeping with the
constant change in technology.

Cyber Crime Investigation and Collection of Electronic Evidence should

have been central issues in the Act, but unfortunately have received far
less than their due share of attention.

Lack of frequent issuing of Rules and Guidelines by the government has

lead to the IT Act functioning only as a framework legislation, without any
real substance.

THE PROPOSED ACT: A CRITICAL ANALYSIS OF CERTAIN SIGNIFICANT

SECTIONS
Section 1(2): Extent of the Act
The application of the Act extends to the whole of India and to any offence or
contravention committed outside India by any person.
Instead of taking such a brave stand, the Act should have adopted a more
realistic approach and laid down provisions to establish a National Cyberspace
Regulatory Authority that kept a consolidated record of the logs of all ISPs in the
country, so as to be able to facilitate the exchange of evidentiary information
between state police forces. Such an Authority could also play an important role
in fostering mutual relations between various nations, to facilitate the exchange
of ISP logs and other vital information between them.
Such an approach would work towards securing the conviction of Cyber
Criminals who try to route their activities through foreign nations so as to
complicate investigation efforts and seek refuge under hostile legal systems. This
would in effect realise the sentiment conveyed by Section 1(2), more fruitfully, by
bringing criminals to book for contravening the provisions of this Act.
Section 1(4): Application of the Act
The classes of documents that were excluded from the ambit of the Act have
been included under the proposed amendments. This move will encourage the
growth of E-Governance in India. Also such a step sends out a positive signal, as
it signifies that the governments outlook is changing, and it is working towards
the digitization of records and documents. This provision may also help to bring
about transparency in the functioning of the government.
Section 2: Definitions
The Definitions Section determines the scope and success of any legislative
effort. This dictum becomes even more pertinent in the case of an Act purporting
to legislate on a complex subject such as Technology. It is essential that the
definitions be carefully framed leaving them Technologically Neutral. Additionally
they should be framed in a manner that will allow the courts to interpret and
adapt the definition of technical terms on a case-by-case basis. While the present
Act attempts to do this in most cases by empowering the Central Government to
prescribe guidelines and rules, it tends to get too vague while defining certain
terms such as Data which is defined as a representation of Information, while
the definition of Information includes the term Data. Hence this cross-reference
between the two sections fails to define the term Data, which is one of the most
crucial terms in the Act.
Additionally, the definition of Originator restricts the application of this term to a
person when it may well be the case that a computer program or intermediary

could be the originator of an electronic message. On the other hand, in an

attempt to leave certain definitions open for future modification, certain terms
have been defined so vaguely that they fail to have any significance. For
instance, the term Cyber Caf could be interpreted to be a computer training
institute where students are given internet access for course work, or a
corporation where employees are allowed to use their computers to access the
company website or to send emails to clients, or a coffee shop that allows its
clients access to Wi-Fi internet and in a particularly ridiculous situation even to an
entire business locality which is covered by a Wi-Fi network.
Section 4 and Section 5: Legal Recognition of Electronic Signatures and
Authentication of Electronic Records by Electronic Signature
Electronic Signatures have been recognised by the Act, in place of Digital
Signatures. This is an attempt to make the Act technologically neutral, and is a
welcome change. However the effect of this section is watered down by Section
5 which stipulates that until the Central Government prescribes another form of
Electronic Signature to be used, Digital Signatures are to be used for the
authentication of documents.
Section 10: Formation and Validity of Contracts
The new Section 10 (under Chapter IIIA) recognises the formation and validity of
Electronic Contracts by means of electronic records. The inclusion of Chapter IIIA
will be a boost to E-Commerce, and is a welcome addition to the Act,
Section 12: Acknowledgement of Receipt
The section provides that where the originator has stipulated that the electronic
record shall be binding only on receipt of an acknowledgement of such electronic
record by him, then unless acknowledgement has been so received, the
electronic record shall be deemed to have never been sent by the originator. For
a better understanding of this section, a reference must be made to Section 2(1)
(s) which defines electronic record as data, record or data generated, image or
sound stored, received or sent in an electronic form or micro film or computer
generated micro fiche. Hence in light of the above sections, it is clear that
Section 12 can have a damning effect on electronic evidence in a court of law,
and therefore can be misused by cyber criminals.
For instance, X sends a pornographic image as part of an email message to Y,
containing a clause stating, if no acknowledgement is given within five minutes
of receipt of this email message the email message will be deemed never to
have been sent. If Y does not acknowledge receipt of the email message within
five minutes of receiving the email message, the email message will be deemed
not to have been sent, hence even though the message actually resides upon
the computer of Y, it cannot be used as evidence to prosecute X.

Therefore the inclusion of such a section in the Act is rather absurd, and can
have severe ramifications.
Section 19: Recognition of Foreign Certifying Authorities
This section provides that the Controller of Certifying Authorities can, with the
previous approval of the Central Government, and in accordance with the
conditions and restrictions that may be prescribed by regulations, recognise any
foreign Certifying Authority as a Certifying Authority for the purpose of this Act.
It is therefore essential for the Controller to implement the provisions of this
section expeditiously, in order to facilitate E-Commerce with foreign clients.
Section 20: Controller to act as a Repository (deleted)
This section has been deleted. Thereby under the proposed Act, the Controller is
no more the repository of all Electronic Signatures. This function has been
handed over to the Certifying Authority, as it is believed that this section placed
an unnecessary legal obligation on the Controller in case of a disputes between
Certifying Authority and Subscriber, and additionally the practice of making the
Controller the repository of Electronic Signatures is not being followed anywhere
else in the world.
While the effect of this amendment cannot be predicted at present, it may prove
to be a difficult task in the future to keep a consolidated record of all the public
keys issued by the various Certifying Authorities.
Section 43: Compensation for Damage to Computer, Computer System, etc.
This section may be said to impose a strict liability as no intent or knowledge is
required by the actor. Hence even when the victim suffers no damage or harm,
the person committing any of the acts enumerated under this section can be held
liable. Likewise, even an innocent may be directed to pay damages for a
mistaken act of his. Therefore to avoid such an unfair situation, the section must
be amended to include damage or injury to a computer resource, as a condition
for damages.
The provisions listed under this section are analysed below:
At the outset, it must be noted that Explanation (vii) to the section clearly
states that without the permission of the owner shall include access to
information that exceeds the level of authorized permission to access.

In Subsection (1), Clause (a) the term accesses is defined very

generically and could be interpreted to include acts like port scans, or an
attempt to crack passwords. Hence this subsection is a catchall section

and can be effectively used by enforcement agencies to book cyber

criminals.
Subsection (1) Clause (c) talks about computer viruses and contaminants.
Here the term contaminant is extremely wide, and may also be applied to
include computer viruses, Spyware or key loggers. In fact the term is so
vague that it may even be applied to any software program installed
without the permission of the owner that slows down the system, even
marginally.

Subsection (1) Clauses (d), (e), (f) are very similar and can be made to
apply to acts such as Denial of Service Attacks, installation of software
applications that use up system resources, or even changing of a file
name or file location in memory.

Subsection (1) Clause (h) deals with password theft and subsequent
misuse, credit card frauds, identity theft cases, etc.

Subsection (2) in practice is an impotent section, and only aims at giving a

fake sense of security to foreign investors and MNCs who are
apprehensive of investing in India, at present, as a result of the absence of
Data Protection Laws.

Section 46: Power to Adjudicate Regarding Compensation and Penalty

This section provides that in the case of a contravention under the Act or any
rules, regulations, directions or orders made there under, which renders a person
liable to pay a penalty or compensation, an inquiry shall be held by an officer
appointed by the Central Government, subject to certain provisions of the Act.
This provision makes it clear that besides the Adjudicating Officer, no person may
investigate or inquire into any Contravention involving a pecuniary penalty or
compensation for damages. Therefore it is essential to immediately appoint such
officers exercising designated jurisdiction across the country, without delay, in
order to facilitate the reporting and inquiry of contraventions. Without such a
system, provisions of the Act such as Section 43 become ineffective.
In this regard it is interesting to note that even though this provision has been
carried forward from the prevailing Act without any amendments, till date the
Central Government has appointed only one Adjudicating Officer for the entire
country, who is based in Delhi!
Chapter X: The Cyber Appellate Tribunal
The Act provides that Cyber Appellate Tribunals are to comprise of only one
officer. It would have been a better idea to increase the constitution of this body

to three or more officers, with at least one being an expert in technological

issues.
Section 65: Tampering with Computer Source Documents
This section has been carried forward without amendment, and makes provisions
in respect to Computer Source Code, which is required to be kept or maintained
by law for the time being in force. However interestingly, there has been no such
law in force since the enactment of the IT Act in 2000. Hence in practice, this
section is futile.
Section 66: Computer Related Offences
This section is the successor to the section on Hacking. While this section is
rather wide in its ambit, and covers most cyber crimes, the use of the words
dishonestly and fraudulently instead of with the intent to cause or knowing that
he is likely to cause, dilutes the effect of this section substantially. By using this
term, the section only holds a person guilty for an intentional act, and fails to
have any effect in the case of an act done with his knowledge but without intent.
Consider the following illustration:
A software consultant is hired to install a software application on someones
computer, and he starts installing the same without reading the installation
instructions. Upon installation the computer automatically reboots, and the owner
of the computer loses vital unsaved data. Here the software consultant installing
the software has caused damage to the owner of the computer without his
permission. Yet Section 66 will not apply, as his act is not a dishonest or
fraudulent one, it is a result of his negligence. If however the words used by the
section were intent and knowledge the consultant would have been held liable,
as owing to his qualification of being a computer consultant it can be assumed
that he had the knowledge that by installing the software the system may
automatically reboot, thereby causing a loss of unsaved data.
Hence section deviates from the traditional test of mens rea, which holds that a
person is equally liable for his omissions as he is for his acts.
In addition, the amended section prescribes a lesser penalty for offences,
stipulating a maximum period of one year imprisonment for offences under Sub
section (1) and two years under Subsection (2), as opposed to the earlier penalty
for hacking which was imprisonment for a maximum term of three years. Such a
reduction of penalty cannot possibly help to deter criminals; hence the rationale
behind such a move is questionable.
Section 67: Publishing in Electronic Form of Information which is Obscene

This section imposes a strict liability on any person who publishes or transmits or
causes to be published in the electronic form any pornographic material, as it
makes no mention of his having had the intention or knowledge of doing so. Such
a provision can prove to be rather severe, as a person may be held liable for
publishing pornographic data, without his knowledge. Taking for instance, a
computer virus which affects a persons email client, and sends out pornographic
pictures to all the addresses in the address book, or an innocent hyperlink which
directs a person to a webpage, which in turn causes various pornographic web
pages to pop-up.
The implications of this section can be stretched further to include an offensive
joke sent to a person through an SMS or email, for which he could be held liable
under this section!
On the other hand it is difficult to understand why the maximum term of
imprisonment for publishing pornography has been reduced from five years to
two years on first conviction, and from ten years to five years in the case of a
subsequent conviction.
However the second subsection that provides a stricter penalty for publishing
child pornography, is a welcome addition and tackles a social issue of great
relevance in recent times though the words intentionally and knowingly should
be rephrased to read intentionally or knowingly.
It is also interesting to note that under this section, a person cannot be held liable
for viewing pornographic material. Even the rather far fetched contention that by
viewing a webpage, a cache of the page is created on the computer memory, is
not applicable anymore, as it is a well established legal custom all over the world
today, that a cache in memory is not constituted as downloading or transmitting
of data.
Section 68A: Encryption and Other Technologies for Security of Data
This section is a welcome change, and will help E-Commerce, if the Central
Government fulfils its duty of prescribing modes or methods for encryption from
time to time.
Section 69: Power to Issue Directions for Interception or Monitoring or
Decrypting of any Information through any Computer Resource
The amended section provides that only the Central Government may issue
directions to intercept communications, as compared to the original section under
which even the Controller of Certifying Authorities was empowered to do so.
Such a change has probably been made with a view to prevent the misuse of this
power. But a better approach would have been to continue this power, while
simultaneously prescribing harsh penalties for its abuse.

10

The amended section also aims at removing for preventing incitement to

commission of a cognizable offence as a reason for interception. This
amendment will dilute the effect of the section and will handicap the law
enforcement agencies.
Subsection (3) and (4) provide that the subscriber or any person in-charge of the
computer resource may be called upon to extend all facilities and technical
assistance to decrypt information or provide access to the computer resource
being investigated. Under these provisions a person could be forced to disclose
his password or to disclose the location of incriminating files on his computer,
and could thereby be made to incriminate himself. Hence this provision strikes up
the debate as to whether a person can be compelled by law to incriminate
himself.
Section 70: Protected System
This section defines a Protected System as a Computer, Computer System or
Computer Network that has been declared so by a Central Government
Notification. This system unnecessarily discriminates between Protected
Computers and Other Computers. Such a distinction is unfair and would be
similar to saying that the murder of a poor man would be looked at more partially
as compared to that of a rich man. Hence it is futile to bring in this distinction, as
all systems should be considered to be protected systems for the purpose of the
Act, and unauthorised access to any system must be penalised strictly.
Section 72: Breach of Confidentiality and Privacy
This section addresses the critical issues of Confidentiality and Privacy. It is
apparent that this addition is a reaction to the recent spate of data theft and
pornographic MMS cases. However the Subsections (1) and (2) prescribe
intentionally and intention to cause injury as the requisite mens rea for the
offence of disclosing evidence respectively. Hence the section overlooks
constructive knowledge, and negligence, which make a person equally culpable.
Hence for example a BPO employee who has access to a list of credit card
numbers along with their respective owners names sends such a file (titled Card
Information) as an attachment to a client under the impression that the file
contains some other information. He cannot be held liable under Section 72(2) as
he did not send the file with intent to cause injury to the credit card holders.
However if the section used the words with the intent or knowledge that injury
may be caused the employee could be held liable for failing to take due care to
check the contents of the file, as he is expected to know that files containing
sensitive confidential data are stored on his computer.

11

Subsection (3) is too specific as it restricts itself to the private area of an

individual and uses terms such a broadcast, capture and under circumstances
in which that individual has a reasonable expectation of privacy. Rather than
being defined so clearly specified, these terms should have been left to the
interpretation of the court.
Subsection (4) makes a reference to an aggrieved person, which is a rather
vague term. Until such a term is well defined people will not be aware of their
rights and responsibilities, which is undesirable. For instance, if a person
photographs a minor girl, without her knowledge, while she is swimming in a
private swimming pool, can the parents of the girl be aggrieved persons, or is
she alone an aggrieved person authorised to file a complaint under the act?
This section should have also specifically included provisions concerning
unsolicited calls and messages, camera phones, Spam email messages, validity
of sting operations and the recording of voice messages.
Section 73: Penalty for Publishing Electronic Signature Certificate False in
Certain Particulars
While the title of this section states penalty for publishing Electronic Signature
Certificate false in certain particulars the working part of this section restricts the
scope of the term false in certain particulars to three particulars. The section
would have been better left vague, so as to be interpreted at the discretion of the
courts.
Section 78: Power to Investigate Offences
This section stipulates that all offences under the Act can be investigated by a
police officer having the rank of Deputy Superintendent of Police or above. This
criterion is baseless, as the power to investigate must not be determined by the
rank of an officer, but on the basis of his knowledge of technology and his
experience of carrying out investigations dealing with electronic evidence.
Chapter XIA: Examiner of Electronic Evidence
This chapter is a welcome addition to the act and if properly implemented will go
a long way in securing the conviction of Cyber Criminals.
Section 79: Exemption from Liability of Intermediary in Certain Cases
This section may well be one of the most controversial amendments proposed.
The principal flaw in this section is that the concept of an Intermediary is defined
very widely and can be interpreted to include Cyber Cafes, Online Marketplaces
and Search Engines.

12

It goes further to absolve intermediaries of all the requirements of due diligence.

Such a blanket protection to intermediaries is undesirable; as such a lack of
accountability of intermediaries may inculcate fear in foreign clients and thereby
impact the BPO industry adversely.
Moreover, placing the burden of proving that the intermediary has conspired or
abetted in the commission of a contravention, on the complainant is rather
unreasonable, as an ordinary person would not have access to electronic
records, user logs and other vital information to prove the guilt of the
intermediary.
Section 80: Power of Police Officer and Other Officers to Entry, Search, etc.
The original Section 80, that relates to Entry, Search and Arrest without a warrant
by an officer not below the rank of Deputy Superintendent of Police, has been
dropped by the amended Act. Hence police officers will be required to secure a
warrant for entry, search and arrest during the investigation of cognizable or non
cognizable offences. Such a provision would be unfeasible, keeping in mind the
volatility and delicate nature of electronic evidence, which can be rendered
untraceable in the matter of a few minutes by a criminal who has been tipped that
an investigation is to be carried out on his machine.
Rather than adopting this approach to prevent misuse of the powers by the police
officers, the Act should have focussed on training the Police officers involved in
Cyber Crime Investigations, and imposing a harsh penalty for abuse of these
powers.
Section 85: Offences by Companies
The amended Section 85 shifts the burden of proving that a member of the
Company had knowledge of and had connived in the commission of a
contravention, upon the prosecution. Hence this section protects the high-ranking
officials of a Company, who, under the prevailing Act, can unnecessarily be
dragged into a case involving a contravention of the provisions of the Act, without
any fault of theirs. By doing so, this section upholds the legal principle that a
person is assumed to be innocent, until he is proven to be guilty beyond
reasonable doubt.
Section 88: Constitution of Advisory Committee
This section like chapter XIA has tremendous potential to establish an effective
system of IT Law in India. However in order to be effective the Advisory
Committee should be established expeditiously, and its advice should be
carefully considered and given effect to by the Central Government especially on
issues relating to the issuing of guidelines, orders, rules and updating the Act to
be at par with technological changes.

13

OBSERVATIONS ON CERTAIN CRITICAL ISSUES

Cyber Crime Jurisdiction: A Sticky Wicket
The IT Act envisages Extraterritorial Jurisdiction over Cyber Crimes. Hence a
reading of Section 1(2) and Section 75 of the Act shows that the IT Act provides
wide sweeping powers to the Indian courts to try cyber offences committed from
any computer, computer system or computer network located in India. Moreover,
an Indian court may prosecute any person, irrespective of his nationality, if he is
found to be guilty of committing a cyber crime whose effect is felt in India. This
implies that if an individual located in a foreign country commits a cyber crime in
another country through a computer located in India, he will be guilty under the IT
Act and will be liable for prosecution by the Indian courts.
However in effect these provisions are rather impractical, as it is extremely
difficult for Cyber Crime Investigators in India to obtain information and evidence
from foreign ISPs. Similarly, police officers of one state often pass the buck onto
the officers of another state, thereby delaying and inconveniencing the victim.
Hence there is an instant need for a system where such difficulties are ironed out
(refer to comments on Section 1(2): Extent of the Act, found on Page 4)
Theft or deletion of data by an employee from his workplace
If an employee copies data from a computer on a floppy, CD Rom, on flash
memory or any other device, or deletes any data from a computer which he did
not have the permission to use, he can be held liable under Section 43 of the Act,
and if he does so dishonestly or fraudulently, he can also be held liable under
Section 66.
Voyeurism
A person installing a voyeur camera in a hotel room, by means of which a person
is filmed having a bath, is liable under Section 72. If this film is then broadcast by
means of an SMS or MMS message, or via email/bluetooth/infrared, the person
transmitting the message is liable under Section 72 and Section 67. Taking this
illustration a step further, if this message is then forwarded by the recipient to
another person by any of the abovementioned means, he too will be liable under
Section 72 and Section 67.
Forwarding of Obscene Messages
A person forwarding obscene text, images or sound messages by means of an
SMS, MMS, email message, Bluetooth or Infrared, or any other such means of
electronic transfer, may be held liable under Section 67. Moreover, as Section 67

14

does not require the person to have any specific intention, even an obscene joke
sent to the wrong mobile number can land a person in jail!
Port Scanning
A port scan in simple words is an attempt, by means of a network connection, to
find out what programs and software applications are being run on a computer.
Though this act is only a means of preparing to hack into a computer, it may be
punished under Section 43(1)(a) which disallows a person to access a computer
resource without the permission of the owner or person responsible for it; or
similarly under Section 66(a)(i) if done dishonestly or fraudulently.
Penetration Tests
A penetration test is similar to a port scan, and is carried out to identify
vulnerabilities on a computer. Hence a person conducting a penetration test
without the permission of the owner may be held liable under Section 43(1)(a)
which disallows a person to access a computer resource without the permission
of the owner or person responsible for it; or similarly under Section 66(a)(i) if he
does so dishonestly or fraudulently.
Password Theft
A computer password is usually encrypted and stored on the computer.
Therefore the act of changing a password would make a person liable under
Section 43 or Section 66 of the Act. However it is interesting to note that if a
person sends an email message using another persons email account, from his
own computer, he is not liable for any offence under the Act, as it fails to address
this and other similar issues.
Misuse of Internet Account or Other Paid Service Account
If any person misuses the internet account or other such account, for which
service another person is charged, he can be held liable under Section 43(1)(h)
or even Section 66(b)(iii) (if he does so dishonestly or fraudulently) of the Act.
Phishing
Phishing is the act of stealing the online identity of another person. The act of
Phishing alone is not punishable under the Act, only a subsequent damage, loss
or fraud that is caused as a result of it may make the perpetrator liable under the
Act or other penal provisions.
This issue should have been clearly addressed by the IT Act, especially since the
incidence of gaming frauds, Nigerian frauds and other such crimes have
increased manifold in recent times. Though one may argue that Phishing is an

15

attempt to defraud someone, and therefore can be punished under the IPC, the
unique nature of these crimes, the ease with which they can be carried out and
the far-reaching consequence they could realize, calls for a specialised
legislation (such as the IT Act) to deal with them.
Recording of Private Conversations
It is interesting to note that Section 72(3) restricts itself to the capturing or
broadcast of an image of a private area of an individual without his consent.
Therefore the act of recording a private conversation of an individual without his
consent has not been made an offence under the Act.
While dealing with the issue of privacy of an individual, the Act should have
included capturing of voice conversations and all private acts without the consent
of the individual, rather than restricting itself to only visual images and that too of
only the private parts of the individual.
Morphing of Images
This issue has been overlooked by the Act.
Disclosure of Personal Data
Section 43(2) makes a company, firm or other association responsible for the
safeguarding of any sensitive personal data that it handles. Therefore in the
absence of a strong security if an employee discloses such data to any person
who does not have a right to such data, the company, firm or other association
may be held liable under this section.
Mobile Phone Cloning and IMEI Number Reprogramming
Though the Act does not specifically deal with these offences, a person can be
held liable for cloning a mobile phone SIM Card or reprogramming the IMEI
number without the permission of the owner or person responsible for the mobile
phone under Section 43(1)(a) or even Section 66(a)(i) if he does so dishonestly
or fraudulently. These sections may be applied, owing to the fact that a mobile
phone falls well within the definition of a Computer resource.
Who is the Owner of a Computer Resource?
Where multiple users use a computer at home, it is difficult to ascertain who the
owner of the computer would be for the purposes of Section 43 and Section 66.
Hence for instance, if a man plants a key-logging device on a computer shared
by him and his wife, to monitor his wifes activities, would he be committing an
offence under the Act?

16

Hence the definition of owner must be clarified to address such situations.

Threatening or Defamatory Message and Cyber Stalking
The Act is silent on issues such as Cyber Stalking and defamatory or threatening
messages (sent by email, SMS, posted on message boards, published as blogs
etc). Though such acts can be penalised under the existing provisions of the IPC,
it is essential to have a specific enactment to address these issues, as today,
such offences can be committed with greater ease, and have far reaching
consequences as a result of modern day technology. Hence the penalties must
be equally reinforced to have a greater deterrent value.
Spam Messages and Phone Calls
The Act is silent on issues such as Unsolicited SMS messages, sales calls on the
mobile phone and Spam email messages. These issues deal with Individual
Privacy, and should have been included under Section 72 or as a new section in
the Act.
Consultancy Issues
Under Sections 43 and Section 66 of the Act, a computer consultant or engineer
can be held liable, for an act wherein he exceeds the permission given to him by
the owner or any other person responsible for the Computer Resource.
Therefore such professionals must enter into explicit agreements disclaiming
responsibility from such liability before carrying out any activity that is likely to
infringe these provisions.
Blogging
Blogging has become an extremely popular means of expressing oneself. A blog
posted online can be read by people all over the world, in a matter of seconds. In
fact there are also search engines dedicated to carry out blog searches.
The IT Act fails to define and address this rapidly spreading phenomenon. Hence
today it is unclear whether a blog will be looked at on the same lines as a
newspaper, and to what extent the freedom of expression protects the blogger.
Writing of Malicious Code and Spyware Programs
Viruses, Worms, Trojans, Spyware etc, have increased proportionately with the
growth of the Technology and the Internet. Today there are Viruses that can even
destroy the mobile phone. Hence it becomes important to destroy this evil at the
outset itself, and provide strict penalties for any person who creates such
programs. Though such a penalty may appear to be rather harsh, considering his

17

act is only that of preparation to commit an offence, it is essential to put in place

such penalties, in order to deter people from committing such offences.
The Trojan Horse Defence
Julian Green, a divorced British male was arrested for allegedly viewing child
pornography on his computer. The police seized his computer and found 172
pornographic pictures in memory. After 6 months of jail custody, when the court
finally came to court, Green admitted that there was child pornography on his
computer. But assigned the cause of this to a Trojan which had lodged itself on
his computer and downloaded images from pornographic websites every time he
connected to the Internet. He also pleaded that he had gone to great lengths to
remove this malicious program but was unsuccessful. The police could not find
any evidence to prove otherwise, and hence Green was set free.
In another British case, a seventeen-year-old hacker, Aaron Caffrey was arrested
for having allegedly conducted a Denial of Service Attack on the Port of Houston.
Like Green, Caffrey too claimed that the attack was the work of an attack script
run from his computer by a Trojan. However in this case, he claimed that the
Trojan had destroyed all traces of itself after conducting the attack. He even went
ahead to say that this Trojan had been placed on his machine by other hackers
who envied his success as a hacker, in an attempt to frame him. Hence even
though the police found no evidence of the Trojan on his computer, the courts
had no choice but to set him free, as he could not be proven guilty beyond a
reasonable doubt.
The cases discussed above are glaring examples of how a legislative enactment
alone is not enough to regulate and prevent Cyber Crimes. In both these cases
the accused was set free even though the law on the subject was well defined.
Hence such cases highlight the crucial role played by Electronic Evidence in any
Cyber Crime case. The procedure for collecting Electronic Evidence, and the
Technological training given to the investigators plays a crucial role in the trial.
Moreover the laws must evolve in tandem with changing technology, failing which
they will become ineffective.
Man or Machine
In one interesting case, an employee who had just resigned from his job was
arrested for stealing the companys confidential data, and supplying it to his new
employers. After a thorough forensic investigation of his portable PC, it was
found that he did have certain confidential information, which he had deleted.
Committing a crime and trying to cover it up is a grave offence. However the exemployee pleaded that the data had been stored on his portable legitimately
while he was employed by the complainant company. Further after he resigned
and joined the other company, adhering to the new companys policy, he handed
his portable PC over to the IT Department, which converted all the Outlook

18

Express email messages to the Outlook program. In doing so the program

deleted the original messages and stored them in the encrypted format. This
distinctive feature of the program was noticed by another forensics expert, who
testified in the employees defence, as a result of which all charges were
dropped.
Such issues raise a new problem for investigators, making it extremely important
to distinguish between the actions of a human being and those of a computer
program, failing which an innocent can be wrongly convicted. The IT Act must
attempt to address such technological
Maintenance of Reliable Logs
Even the most highly trained Cyber Crime Investigator can at best trace the
physical machine from where the crime was committed. From here on the
traditional methods of criminal investigation take over. Thus it is imperative that
the initial stage of investigation that leads to the tracking down of the computer is
carried out without a flaw.
In majority of cases involving the use of the Internet, a physical machine can be
located using the IP Address, which is provided to the investigator by the ISP. It is
clear, therefore, that the information provided by the ISP is crucial to the
investigation. Hence in the event that the ISP fails to maintain logs, or provides
information about the IP Address based on records which are unreliable, the
defence can destroy the entire case by creating a doubt in the mind of the judge.
Consequently maintenance of logs of IP Addresses and the reliability of these
logs is absolutely essential, and a system to enforce this must be introduced as
soon as possible. Failing such a system, it would be a non-refutable contention of
the defence, in any Cyber Crime case, that the ISPs logs were inaccurate.
Regulation of Cyber Cafes
Computers are still rather expensive, and not everyone can have access to one
whenever they require. As a result Cyber Cafes have mushroomed in even the
smallest quarters of the country, and continue to do so at alarming rates.
There is an instant need to regulate such ventures, without which Cyber Cafes
will become hotspots for criminal operations. Any person desiring anonymity will
use a Cyber Caf to commit his crimes. And the Investigators will not be able to
go any further once the computer has been located.
It is vital that Cyber Cafe owners are made to maintain logs of their computer
usage. These logs must state the name and contact details of the customer,
along with the exact time he logged onto and off the internet. In order to ensure
authenticity of this information, Cyber Cafes could experiment with methods such

19

as surveillance cameras or written logs where the manager verifies an

individuals details from a valid personal identification document such as a
passport or driving licence.
Moreover in order to ensure compliance with such a system, all Cyber Cafes
must be allowed to function only under the terms and conditions stated in a
licence, which can be revoked or suspended in case of default.
Mandatory Disclosure of Cyber Crimes
It has been a trend among corporations to cover up the incidence of cyber
crimes. This is probably done with the intention of maintaining clients confidence
in the company. However such a practice leads to the frustration of the system of
justice. A criminal should not be allowed to go free, for he will then continue to
remain a threat to society.
Hence it must be mandatory for corporations to publicly disclose any instance of
cyber crime that occurs, failing which those in charge of it must be penalised.
Additionally such a compulsion on the company would make the company
answerable to its shareholders (in the case of public companies) and customers,
and introduce transparency in its functioning.
Such a law, in fact, is already in effect in the State of California, USA, where it is
mandatory for a company to report any instances of sensitive personal data theft
to the person concerned.
Such a compulsion may also be imposed on individuals.
Compulsory Maintenance of Logs and Records by Companies
Even though the Act does not make it mandatory for Companies to adopt a strict
security policy and to keep logs of their internal network traffic, it would be in their
best interest to do so, in order to evade punishment under Section 85.
This can be explained by means of the following illustration:
X, an employee of Company A sends a pornographic email message to Y. Y files
a complaint with the police. In the process of investigation, the police trace the IP
Address of the email to that of the Company. However upon requesting the
Companys Network Administrator for the internal network layout and usage logs,
the police are informed that the Company does not maintain such records. In
such a situation the investigation cannot proceed and the wrong doer is left scotfree, while the Company can be prosecuted under Section 85 of the Act.
However if the Company maintains network records using which the police are
able to trace the originating computer and employee who sent the message, the
Company will not be held liable for the offence

20

Prescribed Procedures of Cyber Crime Investigation

As already discussed above, the crux of the problem that plagues the Indian IT
sector is the lack of convictions of cyber criminals. The only solution to this
problem is to formulate a strict procedure for Cyber Crime Investigations. Like in
all criminal matter evidence forms the basis of the case. But in a cyber crime the
issue of evidence is more complicated, because of the inherent fragility and
sensitivity of the material and data used as evidence. Hence the only way of
preventing the ever-increasing occurrence of cyber crimes, is to implement
certain best practise guidelines which must be strictly followed by investigators
in any cyber crime case. These guidelines must be framed in consultation with IT
professionals. Additionally officials must be trained to detect and handle
electronic evidence, and only officials who have good technical knowledge and
experience in the field must be allowed to lead and investigation (the stipulation
on hierarchy should be done away with).
Lastly, the investigators must be provided with adequate technical instruments,
and the government must issue guidelines detailing the investigative tools and
hardware that may be used by the investigator.
[A few points for consideration while preparing a Manual for Cyber Crime
Investigation have been specified in Appendix A]

21

CONCLUSION
It is interesting to observe that only a few decades ago, it was the norm for
countries to have relaxed IT laws, to encourage growth of technology and the
internet. Today, however, this attitude has reversed its path and legislators the
world over are working vigorously to regulate cyberspace, and the use of
technology.
India on the other hand seems to be following the earlier practice of encouraging
technology through lawlessness. In fact the recent amendments to the IT Act
clearly show that the Government is more concerned with relaxing penal
provisions rather than consolidating the laws in our country to dispel the fears of
MNCs and foreign investors.
The prevailing IT laws need to clearly address issues such as mobile phone
cloning, number portability, password theft, spam emails and SMS messages,
convergence of mobile phones and credit cards, standards of due diligence for
intermediaries, investigation of cyber crimes and examination of electronic
evidence, technical training of Cyber Crime Investigators, lawyers and the
judiciary, etc.
A strong system of IT law in India can only be realised as a result of the
combined effort of experts in the fields of Technology, Law Enforcement,
Legislation and the Judiciary. This is essential as a technology expert can
foresee technological changes in the future, while a legal expert can foresee
complications in the courtroom and enforcement official the technical difficulties
of implementation. Keeping these views in mind, the problems that currently ail
the system as well as those that may arise in the future must be given careful
consideration, and a system that can adapt to subsequent changes in technology
must be instituted.
Finally the government must act soon to establish this system, failing which
lawlessness on the net will turn people away from it, rather than popularising its
use (as the Internet still remains a novel concept for most people in India). Also a
weak legal framework will attract International Cyber Criminals, and it will not be
long before our shores become a haven for Cyber Criminals, instead of foreign
investors.

22

APPENDIX A

Drafting A Cyber Crime Investigation Manual:

Points for Consideration
Digital Evidence forms the basis of the prosecutions case against the accused. A
minor uncertainty in the evidence can destroy the prosecutions case, as a result
of which a criminal can be set free.
Hence we recommend that the government must publish a manual to guide
forensic experts in their investigation. This manual will also ensure the regulation
and standardisation of the procedure adopted by Cyber Crime Investigators
throughout the country. Additionally, such a manual should have legal
recognition, and should also prescribe the software and hardware tools that
should be implemented in an investigation.
Such a manual will spearhead Cyber Law enforcement in our country, and give
an impetus to forensic experts who are waiting for a directive to guide their
efforts.
We have listed certain pointers below which could be taken into account while
drafting such a manual:

The new dictum the world over is, Think twice before confiscating a
computer. This is simply because, a single server may run more then one
website, similarly the functioning of an entire corporation may be
dependant on a server. Confiscating a server for investigation in such a
situation would be impractical and unfeasible. Hence unless absolutely
necessary, physical machines should not be confiscated.

There is also a debate on whether an investigator should pull the plug on

the computer which is being taken in as evidence. Such a practice may
sometimes lead to a device drivers malfunctioning or the system getting
corrupted, however the other viewpoint on this states that the plug must
be pulled, as very often the criminal could have programmed logical
booby trap to delete all data at the time of shutting down the system. Both
these views are equally compelling. Therefore the Act must prescribe a
procedure after considering both these views.

Another problem an investigator may be faced is a situation where the

server or machine which is to be examined cannot be shut down, as it
would not be practical or feasible to do so. In such a situation the
Investigator must perform a live hard disk copy using a prescribed
forensic tool in the presence of an appointed computer expert and
witnesses.

23

As an initial precaution, investigators must also scan the surroundings of

the computer and the CPU cabinet for physical booby traps which,
although rare, are sometimes placed by professional Cyber Criminals.

The investigator must never work on a machine directly. He must work

only on the copy of the hard disk.

Once the computer has been shut down, a prescribed forensic tool such
as EnCase should be used to make an image of the hard drive. We
recommend that the copy of the hard disk be made on a write-once media
that cannot be tampered with or altered in the future.

The entire investigative procedure must be accurately documented by the

Investigating Officer, and must be carried out in the presence of neutral
witnesses. We recommend that there should be three or more witnesses,
one of whom is a computer expert, invited to be a part of the investigation
by the Investigating Officer, and the other two witnesses should be
persons who are competent to enter into a valid contract under Indian law,
and who are well versed with the basics of computers.

The witnesses must be presented with a checklist before the

commencement of the investigation. This checklist must lay down the
procedure to be followed by the Cyber Crime Investigators, in simple and
clear terms. It must also have a space for the witness to write down his or
her comment, and to testify that the investigation was carried out in strict
adherence of the procedure specified in the checklist.

Once the hard disk is seized by the investigator and sealed before the
witnesses, the seal must be opened for the purpose of making a copy
only before a magistrate or investigating witnesses, so that it cannot later
be contended that the evidence had been tampered with.

In a situation where the computer cannot be seized, once a copy of the

hard drive is made the same must be sealed in the presence of a witness.
We recommend that the copy must be made in triplicate, so that one copy
can be examined at the crime scene by a Mobile Cyber Crime
Investigation Laboratory, the second copy can be sent to an expert
laboratory for further verification of the findings, and the third copy can be
saved as a backup which may also be presented in court. (It is important
to note here that a copy of the hard disk made on a Write-Once type
media such as a DVD-R or CD-R is of much greater evidentiary value as
the defence cannot plead that the evidence has been tampered with.)

24

Another problem that ails the Indian Cyber Law Enforcement System
today is the lack of standardisation of procedures and tools. It is
extremely important for the government to prescribe certain forensic tools
for examining the computer and making a copy of the hard disk. Once
such software have been prescribed, a selected group of police officers
must be given specialised training to operate this software, and they must
be employed on a full time basis only for the purpose of running the
forensic tests involving the tools they specialise in.

There is an urgent need to set up specialised computer forensics

laboratories in all the major states of the country. Skilled individuals
should be employed to run these laboratories, and they must carry out
their functions in consultation with government recognised IT firms and
associations.

In addition to these specialised laboratories, there must also be a group of

highly skilled Cyber Crime Investigators, who are given adequate tools
and resources to set up a Mobile Cyber Crime Investigation Laboratory at
the crime scene or at a location nearby, so as to facilitate the search for
evidence immediately.

One of the unique features of a Cyber Crime is that it can involve

individuals located at opposite ends of the globe. A single criminal act can
invoke several jurisdictions. Hence the state and district police wings
need to iron out their differences, and cooperate with each other to fight
this battle.

The government must enter into multi lateral agreements on Cyber Crime
issues with foreign countries, and forge agreements with them to extradite
criminals on a case-by-case basis.

Lastly, Corporations and Individuals must be made aware of their rights

and responsibilities. For instance, a corporation having an internal
network must be required by law to maintain a Network Map, Network
Logs and an adequate Security Policy. Similarly, ISPs must also be
compelled to maintain logs of their customers usage. Failing such steps,
it would be very difficult to reach to an accurate conclusion in a Cyber
Crime Investigations involving them.

25