Centre for Internet and Society

Civil Liberties and the amended Information Technology Act, 2000

Malavika Jayaram — 2012-03-21T10:13:53Z

This post examines certain limitations of the Information Technology Act, 2000 (as amended in 2008). Malavika Jayaram points out the fact that when most countries of the world are adopting plain English instead of the conventional legal terminology for better understanding, India seems to be stuck in the old-fashioned method thereby, struggling to maintain a balance between clarity and flexibility in drafting its laws. The present Act, she says, is although an improvement over the old Act and seeks to address and improve on certain areas in the right direction but still comes up short in making necessary changes when it comes to fundamental rights and personal liberties. The new Act retains elements from the previous one making it an abnormal document and this could have been averted if there had been some attention to detail.

After close to a decade of dealing with English statutes, European directives and pan-European regulations, I was struck anew by the antique style of Indian draftsmanship on my return. Much of the world is moving away from stiff legal speech and towards plain English. Even England has converted to a simpler, more concise legal rhetoric. India, however, has a peculiar genius for imprecision and euphemism that makes the purpose and implications of the law hard to understand and apply. While it may seem quaint, to pepper a law with terms like ‘inconvenience’, ‘nuisance’ or ‘annoyance’, the language fails to convey the seriousness of the offences being defined. A reading of the Information Technology Act, 2008, in its new incarnation incorporating the latest amendments and rules (ITA), is a case in point.

Legal draftsmen inevitably wrestle with the age-old dilemma of the generic versus the specific, the potential dangers of a broad definition versus the built-in obsolescence of a narrow spotlight. The crafters of the ITA, in their admittedly admirable attempts to redress some of the gaps and ambiguity in the original law, appear to have struggled in their efforts to strike a balance between clarity and flexibility. While the new avatar is certainly an improvement in some areas, one can’t help but regret the missed opportunity to make necessary changes. Most importantly is the negative impact of the occasionally sloppy and sometimes overly wide drafting on deeply cherished fundamental rights and personal liberties.

Among other things, the ITA has sought to address and improve aspects such as technology neutrality, data protection, phishing and spam, child pornography, the liability of intermediaries and cyber terrorism. While many of these amendments are a step in the right direction, the actual drafting that implements the high level objectives suffers in many respects. For example, the previous emphasis on ‘digital signatures’ has shifted to the technologically neutral ‘electronic signatures’ but the changes have not been carried out thoroughly enough to expunge the old concept entirely. The current law is a bit of an abnormal document in that it contains elements of both concepts, which some attention to detail could easily have averted. Another example is that the provisions meant to combat spam and phishing end up using the dreaded ‘annoyance’ and ‘inconvenience’ terminology with the effect of casting the net of criminality over far more than is appropriate. For example, mail sent with the purpose of causing ‘annoyance’ or ‘inconvenience’ (not exactly the worst offence in the offline world) could put someone behind bars.

An important set of well intentioned but woefully inadequate provisions are those relating to the protection of data. The absence of a specific law on data protection had, in itself, garnered much criticism both within the country as well as in the context of international transactions and outsourcing. The old Act offered the feeble protection of a single provision (section 43) that dealt with unauthorised access and damage to data. In an attempt to meet industry demands and international market standards, the ITA introduced two sections that address civil and criminal sanctions. While this exercise understandably falls far short of a comprehensive law relating to data (being squeezed into an omnibus piece of technology related legislation, rather than one geared up only to deal with data), there was considerable anticipation of its role in papering over the existing cracks and provide a workable, if temporary, data protection regime.

However, the attempt is such a limited one, and so replete with shortcomings that the need for a ‘proper’ data protection law still stands. Given the proposed initiation of the UID scheme, in particular, there is a compelling need for a robust and intelligent law in this regard. Most other countries’ regimes clearly do at least the following:

define and classify types of data (for example, in most European countries, ‘personal data’ is any data that identifies an individual, ‘sensitive personal data’ is data that reveals details of ethnicity, religion, health, sexuality, political opinion, etc.),
fine-tune the nature of protection to the categories of data (i.e., greater standards of care around sensitive personal data),
apply equally to data stored offline and manually as to data stored on computer systems,
distinguish between a data controller (i.e., one who takes decisions as to data) and a data processor (i.e., one who processes data on the instructions of the data controller),
impose clear restrictions on the manner of data collection (for example, must be obtained fairly and lawfully),
give clear guidelines on the purposes for which that data can be put to and by whom (often involving a consent requirement that gives the individual a great degree of control over their data),
require certain standards and technical measures around the collection, storage, access to, protection, retention and destruction of data,
ensure that the use of data is adequate, relevant and not excessive given the purpose for which it was gathered,
cater for opt-in and opt-out type regimes, again to provide individuals with a measure of control over the use of their data even after the stage of initial collection (which has a huge impact on invasive telemarketing or unsolicited written communication)
impose a knowledge requirement and procedures for allowing individuals to seek information on what data is held on them, and
create safeguards and penalties that are well tailored to breaches of any of the above.

Unfortunately, and perhaps understandably, the ITA barely begins to scratch the surface of what a good data protection regime entails. The provisions that it does introduce (sections 43-A and 72-A) have glaring inadequacies. Briefly:

the term ‘sensitive personal data or information’ is used indiscriminately without any definition,
the provisions only cover electronic data and records, not data stored in non-electronic systems or media,
they offer no guidance on most of the principles set out above such as in relation to accuracy, adequacy, consent, purpose, etc.,
in the absence of the controller-processor distinction, liability is imposed on persons, who are not necessarily in a position to control data, even if it is in their possession,
civil liability for data breaches only arises where ‘negligence’ is involved (i.e., failure to have security procedures or failure to implement them correctly will not automatically result in damages unless negligence is proven),
similarly, criminal liability only applies to cases of information obtained in the context of a service contract, and requires an element of ‘wilfulness’, or a disclosure without consent or in breach of a lawful contract – this is a very limited remit aimed largely at preventing disgruntled or unscrupulous employees from dealing in company/customer data.

For these broad reasons, we can see that even the amended ITA disappoints those who expected a greatly improved regime in relation to data. It is widely anticipated that the UID scheme, which poses so many potential data protection issues, will serve as a catalyst for a standalone law that is on par with the more sophisticated regimes that function very well in other countries. One great feature common to most of those regimes is that they are consumer/individual focused. The freedom and privacy of the individual is the central concern of protection. Our ITA seems far more concerned with providing corporates with a stick to beat errant employees with, and with catering to the needs of the outsourcing and IT industries. It remains to be seen whether the UID scheme will merely galvanise some targeted legal action covering UIDs rather than generating a broad based piece of legislation.

In addition to the criticisms levelled at the data protection provisions, the other large subset of concerns has been in relation to the civil liberties implications of the ITA. There has been some horror expressed in various forums and media about the ITA contributing to the growth of a police state, to severe curtailment of the freedom of speech and expression, to the invasion of privacy, and to the disproportionate severity of penalisation for offences that are placed on crimes committed in cyberspace compared to crimes committed in the hear and now. Sadly, this is true to a large extent given the clunky treatment of ‘cyber terrorism’, the intolerable pre-censorship that is enabled by the blocking of websites, the broad approach to the monitoring and collection of data, and the demanding obligations of intermediaries to cooperate with interception, monitoring and decryption of data for poorly defined reasons.

While our Constitution’s fundamental rights chapter, which enshrines certain basic, democratic, and profound rights, might not have the same vocabulary of due process as we see in the US, it nevertheless requires restrictions to be reasonable. Precedents and the wider jurisprudence in the field have further developed the concepts of checks and balances, procedural safeguards and legitimacy of restraints that a functioning democracy like India must accord to its people. It can be argued that several provisions of the ITA cause significant tension with the right to freedom of speech and expression, the right against self-incrimination, the right to equality before the law, and the right to practice a trade or profession. To briefly deal with the worst offenders in the IT Act, I have divided them into some broader topics:

Pre-censorship

Some of the most excessive provisions relate to the free hand with which public access to websites can be blocked. Previously, there was some hope that the rules yet to be formulated in connection with section 69-A would offer some procedural safeguards. The recently notified rules do contain details – in the bureaucratese that we have come to expect – of the process to be followed by the designated functionaries. They also permit the concerned person or intermediary to submit a reply and clarifications to the committee before the decision to block access is taken.

These rules are to a large extent undermined by rule 9 (“Blocking of information in cases of emergency”), which provides that, “…in any case of an emergency nature, for which no delay is acceptable…”, the process will turn into an internal escalation within the department of IT and interim directions relating to blocking access may be issued without giving (him) an opportunity of hearing. There are those who think that, given the events of 26/11, this is wholly justified but the prospect of abuse fills others with dread. The rules may offer detailed time-frames within which orders are made and approved, require reasons to be recorded in writing, provide that emergency orders may be revoked and information unblocked, etc. Regardless, the nature of the process (executive rather than judicial), the ease with which it can be abused, and the fact that the review committee will only meet once in two months to check for compliance, set aside incorrect orders and unblock information, does not offer much comfort. If a site is incorrectly blocked, it could take up to two months for this to be rectified, which could cause a great damage to the owner of the site, and indeed to the wider public that has an interest in uncensored, free speech.

Given that any person can submit a request, it is not unreasonable to anticipate a certain level of frivolous and malicious requests for blocking sites, especially given that the grounds for blocking are very wide (the often repeated set that we are familiar with, namely, in the interest of sovereignty and integrity of India; relating to defence of India/ security of State/ friendly relations with foreign states/ public order and for preventing incitement to commission of any cognizable offences). Without a review committee constantly monitoring and policing the unbridled use of the provisions, the backlog of blocking decisions that may need to be reversed can become a mountain very quickly. The dangers of pre-censorship and the curtailment of dialogue, debate and free speech are even greater in a country with an increasingly thin-skinned populace. Faced with a volatile backdrop of great diversity of religion, political opinions, views on sexuality, morality, obscenity and other highly subjective values and beliefs, there is immense extra-legal pressure on free speech. Thus, there is now a need for greater vigilance so that the thought police do not wield the stick of harsh penalties under the ITA without reason and due process.

Privacy and surveillance

This topic pulls together concerns around the blanket monitoring and collecting of traffic data or information, the interception and decryption (under duress) by intermediaries (now a large superset of ISPs, search engines, cyber cafes, online auction sites, online market places, etc.) and the wide definition of ‘cyber terrorism’ (which ludicrously even casts defamation as a terrorist activity).

Some of the broad concerns in relation to interception, monitoring and decryption in (section 69) are that:

there is no provision for a clear nexus between an intermediary and the information or resource sought to be monitored or intercepted,
the usual internationally recognised exception to liability where an intermediary operates purely as a conduit and has no control over data flowing through its network is not clearly spelt out,
the penalties for non-cooperation are extremely harsh, especially given the absence of a) and b) above,
these onerous penalties can be said to be in violation of Article 14 as they seem entirely disproportionate. Similar offences and remedies in the Code of Criminal Procedure or the Indian Penal Code prescribe less severe penalties, by an order of magnitude in fact. When the only difference between the offences is the medium in which information is contained, it seems arbitrary to impose a much harsher punishment on an online intermediary than on a member of the public who, for example, furnishes false information to the police in connection with a trial or enquiry.
the rules made in relation to monitoring, interception and decryption, offer some procedural safeguards, in that they impose a time limit on how long a directive for interception or monitoring can remain in force, a ceiling on how long data can be kept before it is required to be destroyed, etc. However, the effect of these is greatly diluted by exceptions “for functional requirements”, etc. The astonishing irony is that rule 20 requires the intermediary to maintain “…extreme secrecy…” and “…utmost care and precaution…” in the matter of interception, monitoring or decryption of information “…as it affects the privacy of citizens…”!!!!

In a similar vein, there are concerns around the monitoring and collection of traffic data (section 69B) as the section contains an unreasonably long list of grounds for monitoring. These include such extreme excesses as “forecasting of imminent cyber incidents”, “monitoring network application with traffic data or information on computer resource”, “identification and determination of viruses/computer contaminant”, and the catch-all “any other matter relating to cyber security”.

Finally, the main criticism of the ITA approach to ‘cyber terrorism’ is the very wide net that it seeks to cast, looking for a game that has little or nothing to do with the named offence. Amongst the cast of creatures unwittingly caught during this fishing expedition, we find some unlikely victims. In addition to the usual grounds of offence against sovereignty, national security, defence of India, etc., which we have seen in relation to other sections, the ITA considers the following as acts of cyber terrorism – broadly speaking, unauthorised access to information that is likely to cause:

injury to decency,
injury to morality,
injury in relation to contempt of court, and
injury in relation to defamation.

This would almost be laughable if these grounds were not enacted unto law, posing a threat to civil liberties by their very existence. Other countries have some notion of political ideology, religious case, etc. in their view of terrorism. That (a) to (d) above have been shoehorned into a clause that imposes the stiffest penalty within the entire ITA (life imprisonment) gives even more cause for concern.

In closing, I should reiterate that the ITA includes other deficiencies and worthwhile improvements alike, but an article focusing largely on the data protection and civil liberties aspects cannot reference them all.

For more details visit https://cis-india.org/internet-governance/blog/information-technology-act

At the end of the niche optical pirate

siddharth — 2011-08-04T04:44:58Z

In this blog post, Siddharth Chaddha goes enquiring into the modus operandi of a video pirate / film lover / businessman in Bangalore's famed National Market.

Getting to the National Market

Wading through Majestic Bus Stand, Flea Markets, Private Bus Stops and vehicles going around in circles, you could almost miss this board outside one of the shopping plazas. NATIONAL MARKET, the famed "pirate market" at the heart of the city. Most of the business here is illegal and the local police raid the thirty odd shops selling goods, which within the purview of any multilateral agreement under WIPO or TRIPS regime would be an infringement of copyright, at least once a month. The shops run shutter to shutter, each one five by four feet. Crowded with sellers and customers, all pirate markets typically smell the same. Pirated DVDs, DVD players, Chinese mobile phones and PDAs, even VHS players of the yore, smuggled MP3 music systems, fake Ray-Bans and Police sunglasses, gaming consoles. You name it, and National Market has it.

Meet the Pirate

Tall and sporting a stubble, Sooraj (name changed) is a Malayali who has been in the trade for over 8 years. "Earlier, I used to have the best English Movie collection ever. But now, its all going away. Most people have shifted from DVD's to Digital Storage and Bit Torrents", says Sooraj. A family comes across the counter. A middle aged man accompanied by two women in a burqua, one of them carrying a young baby boy in their hand. "Tom and Jerry!", says the man and Sooraj's helper brings out a carton full of animated Hollywood films. Finding Nemo, The Lion King, Madagascar, its all there. "No Tom and Jerry. This doesn't have Tom and Jerry", growls the stout customer. Sooraj jumps into the action, hunts out a DVD from a stack and puts it on the table. "Tom and Jerry Tales - 13 episodes", reads the the outside with a classic Tom chasing Jerry picture on the cover. Satisfied, the family puts it aside and goes on to explore other popular cartoon series. In the end, the man calls for Maharathi, a recent Bollywood flick. He looks at the cover intriguingly and I decide to butt in, "Amazing movie. Just saw it last week. Great plot." The deal is seized and after a bout of bargaining over the price. As the family dissolves into the market, Sooraj turns back and says to me, "A lot of customers bargain. I get a headache. And my shop is the first one in the market, inside people operate on margins of 5-10 rupees. That just ruins everything for us. They don't think of the amount of the risk involved."

The Business of Piracy

Sooraj explains to me how Chennai is the biggest market of the South. "Chennai is a sea. You will get everything there. Once you take a dive in that ocean, it's all there." When I ask him of the chain of distribution, he says, "No one will say that I print the covers of fake DVDs or I copy prints. For me, I just call my distributor and everything comes from Chennai. I don't ask beyond that. The stock comes in the price range of 25-35-40 Rupees. Now, there is only one quality of stock. The market is dying. No one has good stock. Earlier, we used to sell DVDs for Rs.70-80. Now, there is no demand. Even the wholesale business is at a low.'' I ask him, "So what are you going to do, now that soon DVDs will be gone?" Sooraj is not flustered. "We will shut this and start a new business," he says. I quietly step back, as another customer comes asking for audio CDs. He doesn't deal in those.

Enforcement Threat

When the customer is gone, I ask him, "How often does the police raid this market?" He smiles and replies, "Not often anymore. The business is almost dead. But yes, they come sometimes. Then you are taken away and a case ensues." I decide to ask him candidly, "How many times have you been booked?" He smiles again. "5-7 times. I have a few cases pending, dates that I have to go and visit the court. They arrest you for a day but that's all they can do. After all this is not a big crime." He continues dealing with customers who have various demands for music and films. Some he sells to, he guides others to the inside shops. "I sell about a 1000 DVDs everyday. Earlier, the figure used to be much higher. Mostly English. Hindi, Tamil and Telugu too. No Kannada," he volunteers. I probe further, "Why no Kannada?" He says that that he supports protection for their own industry. "And the market price for Kannada films is appropriate. Some are Rupees 60, 90, 110. That's reasonable. We do not need to pirate it."

I ask him for Tamil titles. He asked if I wanted Ghajani. “I saw it when it released. Give me something that's worth watching.” He picks out two. Saroja and Subramaniya Puram. He doesn't make a profit in this deal but something tells me that he is happy to spread the love of good films. "Can I click a picture?" He refuses, saying it would not be a good idea. I shake his hand. Until next time.

For more details visit https://cis-india.org/a2k/blogs/at-the-end-of-the-niche-optical-pirate

IT Act and Commerce

pranesh — 2011-08-02T07:41:45Z

This is a guest post by Rahul Matthan, partner in the law firm Trilegal, and widely regarded as one of the leading experts on information technology law in India. In this post, Mr. Matthan looks at the provisions in the amended Information Technology Act of interest to commerce, namely electronic signatures and data protection.

This post analyses the amendments brought about to the Information Technology Act, 2000 (“IT Act 2000”) through the recent 2008 amendments (“IT Act 2008”).

Definitions

The IT Act 2008 has introduced a few additional definitions to the list of definitions originally included in the IT Act 2000. These definitions have either amplified the existing provisions or been introduced in order to address new issues required to be defined in the context of the newly introduced provisions in the statute. Some of the significant definitions have been discussed below:

Computer Network

The definition of “computer network” has been amended to specifically include the wireless interconnection of computers. While wireless technology did fall within the scope of the IT Act under the rather generic head of “other communication media”, the Amendment Act clarifies the scope of the IT Act by expressly including the term “wireless”.

Communication Devices

The IT Amendment Bill, 2006, had provided an explanation for “communication devices” under Section 66A. This definition has been moved into the definition section and now applies across all sections of the IT Act 2008. “Communication devices” is defined to mean “a cell phone, personal digital assistance (PDA) device or combination of both or any device used to communicate, send or transmit any text, video, audio or image”.

There has been case law even under the IT Act that has held mobile phones to fall within the ambit of the IT Act, as a result of which all the provisions of the Act that apply to computers are equally applicable to mobile phones. This amendment only makes that position more explicit.

Electronic Signatures

One of the major criticisms of the IT Act 2000 was the fact that it was not a technology neutral legislation. This was specifically so in relation to the provisions in the IT Act 2000 relating to the use of digital signatures for the purpose of authentication of electronic records. The statute made specific reference to the use of asymmetric cryptosystem technologies in the context of digital signatures, and, in effect, any authentication method that did not use this technology was not recognised under the IT Act 2000.

The IT Act 2008 has attempted to make this more technology neutral. In doing so, the attempt has been to bring the law in line with the United Nations Commission on International Trade Law Model Law on Electronic Signatures (“Model Law”).

Replacement of Digital Signatures

The first significant change in the IT Act 2008 is the replacement of the term “digital signatures” with “electronic signatures” in almost all the provisions in the IT Act 2000. In some provisions, reference continues to be made to digital signatures, but the net effect of the amendments is to treat digital signatures as a subset (or an example of one type) of electronic signatures.

Electronic signatures have been defined as the authentication of an electronic record using the authentication techniques specified in the 2nd Schedule to the Act, provided they are reliable.

The reliability criterion has been introduced, very much along the lines of the Model Law. However, the contents of the 2nd Schedule are yet to be stipulated, which means that despite the existence of a reliability standard, the only authentication method available at this point in time is the digital signature regime.

Dual Requirement

One significant implication of this amendment is the introduction of a dual requirement – to meet the reliability standard as well as to be included in the 2nd Schedule. However, structuring the authentication procedures in this manner offsets the objective tests of neutrality borrowed from the Model Law, since an authentication method may meet the reliability test but will not be deemed to be legally enforceable unless it is notified in the 2nd Schedule.

Additionally, there will be grounds for challenging electronic signatures that are notified to the 2nd Schedule, if it can be shown that the signature so notified is not reliable under the terms of the reliability criteria. This can act as an impediment to the recognition of electronic signatures by notification.

Emphasis on Digital Signatures

Another concern is the treatment of digital signatures in the post amendment statute. The IT Act 2008 continues to retain all the provisions relating to digital signatures within the main body of the statute. The term “digital signature” has not been uniformly substituted with “electronic signature” throughout the statute. In certain provisions this leads to a certain amount of absurdity, such as in those relating to representations made as to the issuance, suspension or revocation of digital signature certificates; due to the lack of uniformity, these principles now apply only to digital signatures and not to all types of electronic signatures.

It would have been preferable if the provisions relating to digital signatures had been moved in their entirety to the 2nd Schedule. Then, digital signatures would have become just another class of electronic signatures listed in the Schedule. By omitting to do this, the authors ensure that digital signature-specific provisions remaining in the main body of the statute challenge the technology neutrality of the statute.

Certifying Authorities

The IT Act 2008 has made the certifying authority the repository of all electronic signatures issued under the statute. Given that there are, at present, multiple certifying authorities, this provision is impractical. Instead, the statute should have either referred to the Controller of Certifying Authorities or should have been worded to state that each certifying authority would be the repository for all electronic signature certificates issued by it.

Impact on Other Statutes

Since the enactment of the IT Act 2000, amendments have been carried out in other statutes, relying on the concept of digital signatures. For instance, the Negotiable Instruments Act, 1881, makes the use of a digital signature essential for an electronic cheque.1 While the IT Act 2008 has expanded the scope of the available authentication measures, by introducing the technologically neutral concept of electronic signatures, corresponding amendments in other statutes like the Negotiable Instruments Act, 1881, will need to be carried out, so that they are not limited in their application to digital signatures.

Data Protection

Prior to the passing of the IT Act 2008, the concept of 'data protection' was not recognised in India. The amendments have now introduced some amount of legal protection for data stored in the electronic medium. This chapter analyses the changes sought to be introduced and their impact on data protection law in India.

Data under the IT Act 2000

The only provision under the IT Act 2000, which dealt with unauthorised access and damage to data, was Section 43. Under that section, penalties were prescribed in respect of any person who downloads copies or extracts data from a computer system, introduces computer contaminants or computer viruses into a computer system or damages any data residing in a computer system.

Data under the IT Act 2008

Under the IT Act 2008, far-reaching changes have been made in relation to data. Two sections have been inserted specifically for that purpose – Sections 43-A and 72-A, one dealing with the civil and the other with the criminal remedies in relation to the breach of data related obligations.

The Civil Remedies for Data Protection

The newly introduced Section 43-A reads as follows:

Compensation for failure to protect data - Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, to the person so affected.

Explanation - For the purposes of this section:

(i) “Body Corporate” means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities;

(ii) “Reasonable Security Practices and Procedures” means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit; and

(iii) “Sensitive Personal Data or Information” means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.

While at first this provision appears to address several long standing concerns relating to data protection in India, there are several insidious flaws that could affect the development of a data protection jurisprudence in the country.

Non-Electronic Data

In the first instance, there is no mention, under this provision, of non-electronic data. Most international data protection statutes recognise and protect data stored in any electronic medium or a relevant filing system (including, for instance, a salesperson's diary). The newly introduced provisions of the IT Act 2008 do not provide any protection for data stored in a non-electronic medium.

It could be argued that given the legislative focus of this statute (it has been called the Information Technology Act with a reason), it would be inappropriate to include within this statute protection for forms of data that do not relate to the digital or electronic medium. While that argument is valid to many who look to the new provisions introduced in the IT Act 2008 as the answer to the data protection concerns that the country has been facing all these years, their enthusiasm must be tempered as these new provisions merely provide solutions for electronic data.

Classification of Data

Most international data protection statutes distinguish between different levels of personal data – specifying difference levels of protection for personal information and sensitive personal information. Depending on whether the data can be classified as one or the other, they have different levels of protection, as loss, unauthorised access or disclosure of sensitive personal information is considered to have a deeper impact on the data subject.

The new provisions of the IT Act 2008 make no such distinction. Section 43-A applies to all “sensitive personal data or information” but does not specify how personal data not deemed to be sensitive is to be treated. In essence, personal information and sensitive personal information do not appear to be differentially treated in the context of data protection.

Consequences

Under most international data protection statutes, the person in “control” of the data is liable for the consequences of disclosure, loss or unauthorised access to such information. This ensures that liability is restricted to those who actually have the ability to control the manner in which the data is treated.

However, under the new provisions of the IT Act 2008, the mere possession of information and its subsequent misuse would render any person who possesses this data liable to damages. While there is likely to be a debate on what constitutes possession and how this differs from control, there can be little doubt that by referring to “possession” in addition to “operation” and “control”, the IT Act 2008 appears to have widened the net considerably.

Negligence in Implementing Security Practices

Section 43-A specifically places liability on a body corporate only if such body corporate has been negligent in implementing its security practices and procedures in relation to the data possessed, controlled or handled by it. The choice of language here is significant. The statute specifically refers to the term “negligence” in relation to the security practices and procedures as opposed to stipulating a clear, pass-fail type obligation to conform.

There is a significant difference between the terms “negligence to implement” and “failure to implement”. The former can only result in a breach if the body corporate that was required to follow reasonable security practices with regard to the data in its possession or control does not perform the required action and it can be proved that a reasonable man in the same circumstances would have performed the required action. If a body corporate is to be made liable under the provisions of this Section, it is not enough to demonstrate that security procedures were not followed; it has to be proved in addition that the body corporate was negligent.

Wrongful Loss and Gain

The Section appears to have been constructed on the basis that a breach has occurred in the event that any “wrongful gain” or “wrongful loss” was suffered. These terms have not been defined either under statutes or through any judicial precedents in the civil context. However, these terms do have a definition under criminal law in India. The Indian Penal Code, 1860 (“IPC”), defines “Wrongful Gain” to mean gain, by unlawful means, of property to which the person gaining is not legally entitled; and “Wrongful Loss” to mean the loss by unlawful means of property to which the person losing it is legally entitled.

There does not appear to be any greater significance in the use of these terms even though they are typically found in criminal statutes. Therefore, apart from the slight ambiguity as to purpose, their use in the IT Act does not appear to have any great significance.

Limitation on Liability

The provisions of Section 43 originally had the total liability for a breach capped at Rs. 5,00,00,000 (five crore rupees). The original text of Section 43-A had the same limitation of liability in respect of its data protection provisions. Before the bill was passed into law, this limitation was removed and now a breach of Section 43-A is not subject to any limitation of liabilities.

Reasonable Security Practices and Procedures

Section 43-A makes a reference to “reasonable security practices and procedures” and stipulates that a breach has been caused only if such practices and procedures have not been followed. There are three methods by which reasonable security practices and procedures can be established:

By agreement;
By law; and
By prescription by the Central Government.

As there is no law in India which sets out an appropriate definition for the term and since it will be some time before which the Central Government comes out with necessary regulations, it would appear that the only option available is for the parties to arrive at an agreement as to how the sensitive personal data and information exchanged under their contract is to be handled.

As a corollary, till such time as the government establishes the necessary rules in relation to these security practices and procedures, if a body corporate does not enter into an agreement with the person providing the information as to the reasonable security practices and procedures that would apply, the body corporate cannot be brought within the purview of this section for any loss or damage to data.

The Criminal Remedies for Unlawful Disclosure of Information

In addition to the civil remedies spelled out in such detail in Section 43-A, the newly introduced provisions of Section 72-A of the IT Act 2008 could be used to impose criminal sanctions against any person who discloses information in breach of a contract for services. While not exactly a data protection provision in the same way that Section 43-A is, there are enough similarities in purpose to achieve the same result.

Section 72-A reads:

Punishment for Disclosure of information in breach of lawful contract - Save as otherwise provided in this Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person shall be punished with imprisonment for a term which may extend to three years, or with a fine which may extend to Rupees five lakh, or with both.

In substance, this provision appears to be focused on providing criminal remedies in the context of breach of confidentiality obligations under service contracts; given that the section specifically refers to the disclosure of personal information obtained under that service contract, it is fair to classify this as a provision that addresses data protection issues.

Personal Information

The IT Act 2008 does not define “personal information”. Equally, there are no judicial precedents that provide any clarity on the term. The Right to Information Act, 2005 does provide a definition for “personal information”, but that definition is inappropriate in the context of the IT Act 2008. In the absence of a useable definition for the term “personal information”, it becomes difficult to assess the scope and ambit of the provision and in particular to understand the extent to which it is enforceable.

"Willful"

The section would only apply to persons who willfully disclose personal information and cause wrongful loss or gain. Hence, in order to make a person liable it has to be proved that the person disclosing the personal information did so with an intention to cause wrongful loss or gain. It would be a valid defense to claim that any loss caused was unintentional.

Service Contracts

The section appears to be particular about the fact that it only applies in the context of personal information obtained under a contract for services. This appears to rule out confidential information (that is not of a personal nature) that has been received under any other form of agreement (including, for example, a technology license agreement). The section is clearly intended to protect against the misuse of personal information and cannot be adapted to provide a wider level of protection against all breaches of confidential information. That said, employers now have a much stronger weapon against employees who leave with the personal records of other fellow employees.

Consent

This section also clearly applies only to those disclosures of personal information with the intent to cause wrongful loss or gain which have taken place without the consent of the person whose personal information is being disclosed. What remains to be seen is how the law will deal with situations where a general consent for disclosures has been obtained at the time of recruitment.

Such clauses are made effective around the world by including opt in and opt out clauses, to allow the employee to either expressly agree to the disclosure of his personal information or to specifically exclude himself from the ambit of any such disclosures.

Media of Material

This section, unlike several other provisions of the IT Act 2008, deals with all manner of materials without requiring them to be digital. However, while disclosure of information stored in the non-electronic medium has been recognised, in the absence of a clear definition of personal information, it is difficult to ascertain the application and enforcement of this section.

What’s Missing

In order to be a truly effective data protection statute, the IT Act 2008 must include provisions relating to the collection, circumstances of collection, control, utilisation and proper disposal of data. At present the statute is silent about these aspects. In many ways, the statute addresses the particular concerns of companies or corporate entities looking for protection in relation to data outsourced to any other corporate entity for processing. Within these specific parameters the statute works well. However it does little to protect the average citizen of the country from the theft of personal data. Until we have statutory recognition of these issues, we will not be able to say that we have an effective data protection law in India.

For more details visit https://cis-india.org/internet-governance/blog/it-act-and-commerce

Primer on the New IT Act

pranesh — 2011-08-02T07:41:54Z

With this draft information bulletin, we briefly discuss some of the problems with the Information Technology Act, and invite your comments.

The latest amendments to the Information Technology Act 2000, passed in December 2008 by the Lok Sabha, and the draft rules framed under it contain several provisions that can be abused and misused to infringe seriously on citizens' fundamental rights and basic civil liberties. We have already written about some of the problems with this Act earlier. With this information bulletin, drafted by Chennai-based advocate Ananth Padmanabhan, we wish to extend that analysis into the form of a citizens' dialogue highlighting ways in which the Act and the rules under it fail. Thus, we invite your comments, suggestions, and queries, as this is very much a work in progress. We will eventually consolidate this dialogue and follow up with the government on the concerns of its citizens.

Intermediaries beware

Internet service providers, webhosting service providers, search engines, online payment sites, online auction sites, online market places, and cyber cafes are all examples of “intermediaries” under this Act. The Government can force any of these intermediaries to cooperate with any interception, monitoring or decryption of data by stating broad and ambiguous reasons such as the “interest of the sovereignty or integrity of India”, “defence of India”, “security of the State”, “friendly relations with foreign States”, “public order” or for “preventing incitement to” or “investigating” the commission of offences related to those. This power can be abused to infringe on the privacy of intermediaries as well as to hamper their constitutional right to conduct their business without interference.

If a Google search on “Osama Bin Laden” throws up an article that claims to have discovered his place of hiding, the Government of India can issue a direction authorizing the police to monitor Google’s servers to find the source of this information. While Google can, of course, establish that this information cannot be attributed directly to the organization, making the search unwarranted, that would not help it much. While section 69 grants the government these wide-ranging powers, it does not provide for adequate safeguards in the form of having to show due cause or having an in-built right of appeal against a decision by the government. If Google refused to cooperate under such circumstances, its directors would be liable to imprisonment of up to seven years.

Pre-censorship

The State has been given unbridled power to block access to websites as long as such blocking is deemed to be in the interest of sovereignty and integrity of India, defence of India, security of the State, friendly relations with foreign States, and other such matters.

Thus, if a web portal or blog carries or expresses views critical of the Indo-US nuclear deal, the government can block access to the website and thus muzzle criticism of its policies. While some may find that suggestion outlandish, it is very much possible under the Act. Since there is no right to be heard before your website is taken down nor is there an in-built mechanism for the website owner to appeal, the decisions made by the government cannot be questioned unless you are prepared to undertake a costly legal battle.

Again, if an intermediary (like Blogspot or an ISP like Airtel) refuses to cooperate, its directors may be personally liable to imprisonment for up to a period of seven years. Thus, being personally liable, the intermediaries are rid of any incentive to stand up for the freedom of speech and expression.

We need to monitor your computer: you have a virus

The government has been vested with the power to authorize the monitoring and collection of traffic data and information generated, transmitted, received or stored in any computer resource. This provision is much too widely-worded.

For instance, if the government feels that there is a virus on your computer that can spread to another computer, it can demand access to monitor your e-mails on the ground that such monitoring enhances “cyber security” and prevents “the spread of computer contaminants”.

Think before you click "Send"

If out of anger you send an e-mail for the purpose of causing “annoyance” or “inconvenience”, you may be liable for imprisonment up to three years along with a fine. While that provision (section 66A(c)) was meant to combat spam and phishing attacks, it criminalizes much more than it should.

A new brand of "cyber terrorists"

The new offence of “cyber terrorism” has been introduced, which is so badly worded that it borders on the ludicrous. If a journalist gains unauthorized access to a computer where information regarding corruption by certain members of the judiciary is stored, she becomes a “cyber terrorist” as the information may be used to cause contempt of court. There is no precedent for any such definition of cyberterrorism. It is unclear what definition of terrorism the government is going by when even unauthorized access to defamatory material is considered cyberterrorism.

For more details visit https://cis-india.org/internet-governance/blog/primer-it-act

Comments on the Draft Rules under the Information Technology Act

pranesh — 2011-09-21T06:13:42Z

The Centre for Internet and Society commissioned an advocate, Ananth Padmanabhan, to produce a comment on the Draft Rules that have been published by the government under the Information Technology Act. In his comments, Mr. Padmanabhan highlights the problems with each of the rules and presents specific recommendations on how they can be improved. These comments were sent to the Department of Information and Technology.

Comments on the Draft Rules under the Information Technology Act as Amended by the Information Technology (Amendment) Act, 2008

Submitted by the Centre for Internet and Society, Bangalore

Prepared by Ananth Padmanabhan, Advocate in the Madras High Court

Interception, Monitoring and Decryption

Section 69

The section says:

Where the Central Government or a State Government or any of its officer specially authorised by the Central Government or the State Government, as the case may be, in this behalf may, if satisfied that it is necessary or expedient so to do in the interest of the sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence, it may subject to the provisions of sub-section (2), for reasons to be recorded in writing, by order, direct any agency of the appropriate Government to intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any information generated, transmitted, received or stored in any computer resource.
The procedure and safeguards subject to which such interception or monitoring or decryption may be carried out, shall be such as may be prescribed.
The subscriber or intermediary or any person in-charge of the computer resource shall, when called upon by any agency referred to in sub-section (1), extend all facilities and technical assistance to-

(a) provide access to or secure access to the computer resource generating transmitting, receiving or storing such information; or

(b) intercept, monitor, or decrypt the information, as the case may be; or

The subscriber or intermediary or any person who fails to assist the agency referred to in sub-section (3) shall be punished with imprisonment for a term which may extend to seven years and shall also be liable to fine.

Recommendation #1
Section 69(3) should be amended and the following proviso be inserted:

Provided that only those intermediaries with respect to any information or computer resource that is sought to be monitored, intercepted or decrypted, shall be subject to the obligations contained in this sub-section, who are, in the opinion of the appropriate authority, prima facie in control of such transmission of the information or computer resource. The nexus between the intermediary and the information or the computer resource that is sought to be intercepted, monitored or decrypted should be clearly indicated in the direction referred to in sub-section (1) of this section.

Reasons for the Recommendation
In the case of any information or computer resource, there may be more than one intermediary who is associated with such information. This is because “intermediary” is defined in section 2(w) of the amended Act as,

“with respect to any electronic record means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record, including telecom service providers, network service providers, internet service providers, webhosting service providers, search engines, online payment sites, online-auction sites, online-market places and cyber cafes”.

The State or Central Government should not be given wide-ranging powers to enforce cooperation on the part of any such intermediary without there being a clear nexus between the information that is sought to be decrypted or monitored by the competent authority, and the control that any particular intermediary may have over such information.

To give an illustration, merely because some information may have been posted on an online portal, the computer resources in the office of the portal should not be monitored unless the portal has some concrete control over the nature of information posted in it. This has to be stipulated in the order of the Central or State Government which authorizes interception of the intermediary.

Recommendation #2
Section 69(4) should be repealed.

Reasons for the Recommendation
The closest parallels to Section 69 of the Act are the provisions in the Telegraph Rules which were brought in after the decision in PUCL v. Union of India, (1997) 1 SCC 301, famously known as the telephone tapping case.

Section 69(4) fixes tremendous liability on the intermediary for non-cooperation. This is violative of Article 14. Similar provisions in the Indian Penal Code and Code of Criminal Procedure, which demand cooperation from members of the public as regards production of documents, letters etc., and impose punishment for non-cooperation on their part, impose a maximum punishment of one month. It is bewildering why the punishment is 7 years imprisonment for an intermediary, when the only point of distinction between an intermediary under the IT Act and a member of the public under the IPC and CrPC is the difference in the media which contains the information.

Section 69(3) is akin to the duty cast upon members of the public to extend cooperation under Section 39 of the Code of Criminal Procedure by way of providing information as to commission of any offence, or the duty, when a summons is issued by the Court or the police, to produce documents under Sections 91 and 92 of the Code of Criminal Procedure. The maximum punishment for non-cooperation prescribed by the Indian Penal Code for omission to cooperate or wilful breach of summons is only a month under Sections 175 and 176 of the Indian Penal Code. Even the maximum punishment for furnishing false information to the police is only six months under Section 177 of the IPC. When this is the case with production of documents required for the purpose of trial or inquiry, it is wholly arbitrary to impose a punishment of six years in the case of intermediaries who do not extend cooperation for providing access to a computer resource which is merely apprehended as being a threat to national security etc. A mere apprehension, however reasonable it may be, should not be used to pin down a liability of such extreme nature on the intermediary.

This would also amount to a violation of Articles 19(1)(a) as well as 19(1)(g) of the Constitution, not to mention Article 20(3). To give an example, much of the information received from confidential sources by members of the press would be stored in computer resources. By coercing them, through the 7 year imprisonment threat, to allow access to this computer resource and thereby part with this information, the State is directly infringing on their right under Article 19(1)(a). Furthermore, if the “subscriber” is the accused, then section 69(4) goes against Article 20(3) by forcing the accused to bear witness against himself.

Draft Rules under Section 69

Rule 3
Directions for interception or monitoring or decryption of any information generated, transmitted, received or stored in any computer resource under sub- section (2) of section 69 of the Information Technology (Amendment) Act, 2008 (hereinafter referred to as the said Act) shall not be issued except by an order made by the concerned competent authority who is Union Home Secretary in case of Government of India; the Secretary in-charge of Home Department in a State Government or Union Territory as the case may be. In unavoidable circumstances, such order may be made by an officer, not below the rank of a Joint Secretary to the Government of India, who has been duly authorised by the Union Home Secretary or by an officer equivalent to rank of Joint Secretary to Government of India duly authorised by the Secretary in-charge of Home Department in the State Government or Union Territory, as the case may be:

Provided that in emergency cases –
(i) in remote areas, where obtaining of prior directions for interception or monitoring or decryption of information is not feasible; or
(ii) for operational reasons, where obtaining of prior directions for interception or monitoring or decryption of any information generated, transmitted, received or stored in any computer resource is not feasible;

the required interception or monitoring or decryption of any information generated, transmitted, received or stored in any computer resource shall be carried out with the prior approval of the Head or the second senior most officer of the Security and Law Enforcement Agencies (hereinafter referred to as the said Security Agencies) at the Central Level and the officers authorised in this behalf, not below the rank of Inspector General of Police or an officer of equivalent rank, at the State and Union Territory level. The concerned competent authority, however, shall be informed of such interceptions or monitoring or decryption by the approving authority within three working days and that such interceptions or monitoring or decryption shall be got confirmed by the concerned competent authority within a period of seven working days. If the confirmation from the concerned competent authority is not received within the stipulated seven working days, such interception or monitoring or decryption shall cease and the same information shall not be intercepted or monitored or decrypted thereafter without the prior approval of the concerned competent authority, as the case may be.

Recommendation #3
In Rule 3, the following proviso may be inserted:

“Provided that in the event of cooperation by any intermediary being required for the purpose of interception, monitoring or decryption of such information as is referred to in this Rule, prior permission from a Supervisory Committee headed by a retired Judge of the Supreme Court or the High Courts shall be obtained before seeking to enforce the Order mentioned in this Rule against such intermediary.”

Reasons for the Recommendation
Section 69 and the draft rules suffer from absence of essential procedural safeguards. This has come in due to the blanket emulation of the Telegraph Rules. Additional safeguards should have been prescribed to ensure that the intermediary is put to minimum hardship when carrying on the monitoring or being granted access to a computer resource. Those are akin to a raid, in the sense that it can stop an online e-commerce portal from carrying out operations for a day or even more, thus affecting their revenue. It is therefore recommended that in any situation where cooperation from the intermediary is sought, prior judicial approval has to be taken. The Central or State Government cannot be the sole authority in such cases.

Furthermore, since access to the computer resource is required, an executive order should not suffice, and a search warrant or an equivalent which results from a judicial application of the mind (by the Supervisory Committee, for instance) should be required.

Recommendation #4
The following should be inserted after the last line in Rule 22:

The Review Committee shall also have the power to award compensation to the intermediary in cases where the intermediary has suffered loss or damage due to the actions of the competent authority while implementing the order issued under Rule 3.

Reasons for the Recommendation
The Review Committee should be given the power to award compensation to the loss suffered by the intermediary in cases where the police use equipment or software for monitoring/decryption that causes damage to the intermediary’s computer resources / networks. The Review Committee should also be given the power to award compensation in the case of monitoring directions which are later found to be frivolous or even worse, borne out of mala fide considerations. These provisions will act as a disincentive against the abuse of power contained in Section 69.

Blocking of Access to Information

Section 69A

The section provides for blocking of websites if the government is satisfied that it is in the interests of the purposes enlisted in the section. It also provides for penalty of up to seven years for intermediaries who fail to comply with the directions under this section.
The rules under this section describe the procedure which have to be followed barring which the review committee may, after due examination of the procedural defects, order an unblocking of the website.

Section 69A(3)
The intermediary who fails to comply with the direction issued under sub-section (1) shall be punished with an imprisonment for a term which may extend to seven years and also be liable to fine.

Recommendation #5
The penalty for intermediaries must be lessened.

Reasons for Recommendations
The penal provision in this section which prescribes up to seven years imprisonment and a fine on an intermediary who fails to comply with the directions so issued is also excessively harsh. Considering the fact that various mechanisms are available to escape the blocking of websites, the intermediaries must be given enough time and space to administer the block effectively and strict application of the penal provisions must be avoided in bona fide cases.

The criticism about Section 69 and the draft rules in so far as intermediary liability is concerned, will also apply mutatis mutandis to these rules as well as Section 69A.

Draft Rules under Section 69A

Rule 22: Review Committee
The Review Committee shall meet at least once in two months and record its findings whether the directions issued under Rule (16) are in accordance with the provisions of sub-section (2) of section 69A of the Act. When the Review Committee is of the opinion that the directions are not in accordance with the provisions referred to above, it may set aside the directions and order for unblocking of said information generated, transmitted, received, stored or hosted in a computer resource for public access.

Recommendation #6
A permanent Review Committee should be specially for the purposes of examining procedural lapses.

Reasons for Recommendation
Rule 22 provides for a review committee which shall meet a minimum of once in every two months and order for the unblocking of a site of due procedures have not been followed. This would mean that if a site is blocked, there could take up to two months for a procedural lapse to be corrected and it to be unblocked. Even a writ filed against the policing agencies for unfair blocking would probably take around the same time. Also, it could well be the case that the review committee will be overborne by cases and may fall short of time to inquire into each. Therefore, it is recommended that a permanent Review Committee be set up which will monitor procedural lapses and ensure that there is no blocking in the first place before all the due procedural requirements are met.

Monitoring and Collection of Traffic Data

Draft Rules under Section 69B

The section provides for monitoring of computer networks or resources if the Central Government is satisfied that conditions so mentioned are satisfied.

The rules provide for the manner in which the monitoring will be done, the process by which the directions for the same will be issued and the liabilities of the intermediaries and monitoring officers with respect to confidentiality of the information so monitored.

Grounds for Monitoring
Rule 4
The competent authority may issue directions for monitoring and collection of traffic data or information generated, transmitted, received or stored in any computer resource for any or all of the following purposes related to cyber security:
(a) forecasting of imminent cyber incidents;
(b) monitoring network application with traffic data or information on computer resource;
(c) identification and determination of viruses/computer contaminant;
(d) tracking cyber security breaches or cyber security incidents;
(e) tracking computer resource breaching cyber security or spreading virus/computer contaminants;
(f) identifying or tracking of any person who has contravened, or is suspected of having contravened or being likely to contravene cyber security;
(g) undertaking forensic of the concerned computer resource as a part of investigation or internal audit of information security practices in the computer resource;
(h) accessing a stored information for enforcement of any provisions of the laws relating to cyber security for the time being in force;
(i) any other matter relating to cyber security.

Rule 6
No direction for monitoring and collection of traffic data or information generated, transmitted, received or stored in any computer resource shall be given for purposes other than those specified in Rule (4).

Recommendation #7
Clauses (a), (b), (c), and (i) of Rule 4 must be repealed.

Reasons for Recommendations
The term “cyber incident” has not been defined, and “cyber security” has been provided a circular definition. Rule 6 clearly states that no direction for monitoring and collection of traffic data or information generated, transmitted, received or stored in any computer resource shall be given for purposes other than those specified in Rule 4. Therefore, it may prima facie appear that the government is trying to lay down clear and strict safeguards when it comes to monitoring at the expense of a citizens' privacy. However, Rule 4(i) allows the government to monitor if it is satisfied that it is “any matter related to cyber security”. This may well play as a ‘catch all’ clause to legalise any kind of monitoring and collection and therefore defeats the purported intention of Rule 6 of safeguarding citizen’s interests against arbitrary and groundless intrusion of privacy. Also, the question of degree of liability of the intermediaries or persons in charge of the computer resources for leak of secret and confidential information remains unanswered.

Rule 24: Disclosure of monitored data
Any monitoring or collection of traffic data or information in computer resource by the employee of an intermediary or person in-charge of computer resource or a person duly authorised by the intermediary, undertaken in course of his duty relating to the services provided by that intermediary, shall not be unlawful, if such activities are reasonably necessary for the discharge his duties as per the prevailing industry practices, in connection with :
(vi) Accessing or analysing information from a computer resource for the purpose of tracing a computer resource or any person who has contravened, or is suspected of having contravened or being likely to contravene, any provision of the Act that is likely to have an adverse impact on the services provided by the intermediary.

Recommendation #8
Safeguards must be introduced with respect to exercise of powers conferred by Rule 24(vi).

Reasons for Recommendations
Rule 24(vi) provides for access, collection and monitoring of information from a computer resource for the purposes of tracing another computer resource which has or is likely to contravened provisions of the Act and this is likely to have an adverse impact on the services provided by the intermediary. Analysis of a computer resource may reveal extremely confidential and important data, the compromise of which may cause losses worth millions. Therefore, the burden of proof for such an intrusion of privacy of the computer resource, which is first used to track another computer resource which is likely to contravene the Act, should be heavy. Also, this violation of privacy should be weighed against the benefits accruing to the intermediary. The framing of sub rules under this clearly specifying the same is recommended.

The disclosure of sensitive information by a monitoring agency for purposes of ‘general trends’ and ‘general analysis of cyber information’ is uncalled for as it dissipates information among lesser bodies that are not governed by sufficient safeguards and this could result in outright violation of citizen’s privacy.

Manner of Functioning of CERT-In

Draft Rules under Section 70B(5)

Section 70B provides for an Indian Computer Emergency Response Team (CERT-In) which shall serve as a national agency for performing duties as prescribed by clause 4 of this section in accordance to the rules as prescribed.
The rules provide for CERT-In’s authority, composition of advisory committee, constituency, functions and responsibilities, services, stakeholders, policies and procedures, modus operandi, disclosure of information and measures to deal with non compliance of orders so issued. However, there are a few issues which need to be addressed as under:

Definitions
In these Rules, unless the context otherwise requires, “Cyber security incident” means any real or suspected adverse event in relation to cyber security that violates an explicit or implied security policy resulting in unauthorized access, denial of service/ disruption, unauthorized use of a computer resource for processing or storage of information or changes to data, information without authorization.

Recommendation #9
The words ‘or implied’’ must be excluded from rule 2(g) which defines ‘cyber security incident’, and the term ‘security policy’ must be qualified to state what security policy is being referred to.

Reasons for Recommendation
“Cyber security incident” means any real or suspected adverse event in relation to cyber security that violates an explicit or implied security policy resulting in unauthorized access, denial of service/disruption, unauthorized use of a computer resource for processing or storage of information or changes to data, information without authorization.

Thus, the section defines any circumstance where an explicit or implied security policy is contravened as a ‘cyber security incident’. Without clearly stating what the security policy is, an inquiry into its contravention is against an individual’s civil rights. If an individual’s actions are to be restricted for reasons of security, then the restrictions must be expressly defined and such restrictions cannot be said to be implied.

Rule 13(4): Disclosure of Information
Save as provided in sub-rules (1), (2), (3) of rule 13, it may be necessary or expedient to so to do, for CERT-In to disclose all relevant information to the stakeholders, in the interest of sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of an offence relating to cognizable offence or enhancing cyber security in the country.

Recommendation #10
Burden of necessity for disclosure of information should be made heavier.

Reasons for the Recommendation
Rule 13(4) allows the disclosure of information by CERT-In in the interests of ‘enhancing cyber security’. This enhancement however needs to be weighed against the detriment caused to the individual and the burden of proof must be on the CERT-In to show that this was the only way of achieving the required.

Rule 19: Protection for actions taken in Good Faith
All actions of CERT-In and its staff acting on behalf of CERT-In are taken in good faith in fulfillment of its mandated roles and functions, in pursuance of the provisions of the Act or any rule, regulations or orders made thereunder. CERT-In and its staff acting on behalf of CERT-In shall not be held responsible for any unintended fallout of their actions.

Recommendation #11
CERT-In should be made liable for their negligent action and no presumption of good faith should be as such provided for.

Reasons for the Recommendation
Rule 19 provides for the protection of CERT-In members for the actions taken in ‘good faith’. It defines such actions as ‘unintended fallouts’. Clearly, if information has been called for and the same is highly confidential, then this rule bars the remedy for any leak of the same due to the negligence of the CERT-In members. This is clearly not permissible as an agency that calls for delicate information should also be held responsible for mishandling the same, intentionally or negligently. Good faith can be established if the need arises, and no presumption as to good faith needs to be provided.

Draft Rules under Section 52

These rules, entitled the “Cyber Appellate Tribunal (Salary, Allowances and Other Terms and Conditions of Service of Chairperson and Members) Rules, 2009” are meant to prescribe the framework for the independent and smooth functioning of the Cyber Appellate Tribunal. This is so because of the specific functions entrusted to this Appellate Tribunal. Under the IT Act, 2000 as amended by the IT (Amendment) Act, 2008, this Tribunal has the power to entertain appeals against orders passed by the adjudicating officer under Section 47.

Recommendation #12
Amend qualifications Information Technology (Qualification and Experience of Adjudicating Officers and Manner of Holding Enquiry) Rules, 2003, to require judicial training and experience.

Reasons for the Recommendation
It is submitted that an examination of these rules governing the Appellate Tribunal cannot be made independent of the powers and qualifications of Adjudicating Officers who are the original authority to decide on contravention of provisions in the IT Act dealing with damage to computer system and failure to furnish information. Even as per the Information Technology (Qualification and Experience of Adjudicating Officers and Manner of Holding Enquiry) Rules, 2003, persons who did not possess judicial experience and training, such as those holding the post of Director in the Central Government, were qualified to perform functions under Section 46 and decide whether there has been unauthorized access to a computer system. This involves appreciation of evidence and is not a merely administrative function that could be carried on by any person who has basic knowledge of information technology.

Viewed from this angle, the qualifications of the Cyber Appellate Tribunal members should have been made much tighter as per the new draft rules. The above rules when read with Section 50 of the IT Act, as amended in 2008, do not say anything about the qualification of the technical members apart from the fact that such person shall not be appointed as a Member, unless he is, or has been, in the service of the Central Government or a State Government, and has held the post of Additional Secretary or Joint Secretary or any equivalent post. Though special knowledge of, and professional experience in, information technology, telecommunication, industry, management or consumer affairs, has been prescribed in the Act as a requirement for any technical member.

Draft Rules under Section 54

These Rules do not suffer any defect and provide for a fair and reasonable enquiry in so far as allegations made against the Chairperson or the members of the Cyber Appellate Tribunal are concerned.

Penal Provisions

Section 66A

Any person who sends, by means of a computer resource or a communication device,
    (a) any information that is grossly offensive or has menacing character; or
    (b) any information which he knows to be false, but for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred or ill will, persistently by making use of such computer resource or a communication device,
    (c) any electronic mail or electronic mail message for the purpose of causing annoyance or inconvenience or to deceive or to mislead the addressee or recipient about the origin of such messages,
shall be punishable with imprisonment for a term which may extend to three years and with fine.
Sec. 32 of the 2008 Act inserts Sec. 66A which provides for penal measures for mala fide use of electronic resources to send information detrimental to the receiver. For the section to be attracted the ‘information’ needs to be grossly offensive, menacing, etc. and the sender needs to have known it to be false.

While the intention of the section – to prevent activities such as spam-sending – might be sound and even desirable, there is still a strong argument to be made that words is submitted that the use of words such as ‘annoyance’ and ‘inconvenience’ (in s.66A(c)) are highly problematic. Further, something can be grossly offensive without touching upon any of the conditions laid down in Article 19(2). Without satisfying the conditions of Article 19(2), this provision would be ultra vires the Constitution.

Recommendation #13
The section should be amended and words which lead to ambiguity must be excluded.

Reasons for the Recommendation
A clearer phrasing as to what exactly could convey ‘ill will’ or cause annoyance in the electronic forms needs to be clarified. It is possible in some electronic forms for the receiver to know the content of the information. In such circumstances, if such a possibility is ignored and annoyance does occur, is the sender still liable? Keeping in mind the complexity of use of electronic modes of transmitting information, it can be said that several such conditions arise which the section has vaguely covered. Therefore, a stricter and more clinical approach is necessary.

Recommendation #14
A proviso should be inserted to this section providing for specific exceptions to the offence contained in this section for reasons such as fair comment, truth, criticism of actions of public officials etc.

Reasons for the Recommendation
The major problem with Section 66A lies in clause (c) as per which any electronic mail or electronic mail message sent with the purpose of causing annoyance or inconvenience is covered within the ambit of offensive messages. This does not pay heed to the fact that even a valid and true criticism of the actions of an individual, when brought to his notice, can amount to annoyance. Indeed, it may be brought to his attention with the sole purpose of causing annoyance to him. When interpreting the Information Technology Act, it is to be kept in mind that the offences created under this Act should not go beyond those prescribed in the Indian Penal Code except where there is a wholly new activity or conduct, such as hacking for instance, which is sought to be criminalized.

Offensive messages have been criminalized in the Indian Penal Code subject to the conditions specified in Chapter XXII being present. It is not an offence to verbally insult or annoy someone without anything more being done such as a threat to commit an offence, etc. When this is the case with verbal communications, there is no reason to make an exception for those made through the electronic medium and bring any electronic mail or message sent with the purpose of causing annoyance or inconvenience within the purview of an offensive message.

Section 66F

The definition of cyber-terrorism under this provision is too wide and can cover several activities which are not actually of a “terrorist” character.
Section 66F(1)(B) is particularly harsh and goes much beyond acts of “terrorism” to include various other activities within its purview. As per this provision,
“[w]hoever knowingly or intentionally penetrates or accesses a computer resource without authorisation or exceeding authorised access, and by means of such conduct obtains access to information, data or computer database that is restricted for reasons for the security of the State or foreign relations, or any restricted information, data or computer database, with reasons to believe that such information, data or computer database so obtained may be used to cause or is likely to cause injury to the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence, or to the advantage of any foreign nation, group of individuals or otherwise, commits the offence of cyber terrorism.”

This provision suffers from several defects and hence ought to be repealed.

Recommendation #15
Section 66F(1)(B) has to be repealed or suitably amended to water down the excessively harsh operation of this provision. The restrictive nature of the information that is unauthorisedly accessed must be confined to those that are restricted on grounds of security of the State or foreign relations. The use to which such information may be put should again be confined to injury to the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, or public order. A mere advantage to a foreign nation cannot render the act of unauthorized access one of cyber-terrorism as long as such advantage is not injurious or harmful in any manner to the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, or public order. A mens rea requirement should also be introduced whereby mere knowledge that the information which is unauthorisedly accessed can be put to such uses as given in this provision should not suffice for the unauthorised access to amount to cyber-terrorism. The unauthorised access should be with the intention to put such information to this use. The amended provision would read as follows:

“[w]hoever knowingly or intentionally penetrates or accesses a computer resource without authorisation or exceeding authorised access, and by means of such conduct obtains access to information, data or computer database that is restricted for reasons for the security of the State or foreign relations, with the intention that such information, data or computer database so obtained may be used to cause injury to the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, or public order, commits the offence of cyber terrorism.”

Reasons for the Recommendation
The ambit of this provision goes much beyond information, data or computer database which is restricted only on grounds of security of the State or foreign relations and extends to “any restricted information, data or computer database”. This expression covers any government file which is marked as confidential or saved in a computer used exclusively by the government. It also covers any file saved in a computer exclusively used by a private corporation or enterprise. Even the use to which such information can be put need not be confined to those that cause or are likely to cause injury to the interests of the sovereignty and integrity of India, the security of the State, or friendly relations with foreign States. Information or data which is defamatory, amounting to contempt of court, or against decency / morality, are all covered within the scope of this provision. This goes way beyond the idea of a terrorist activity and poses serious questions. While there is no one globally accepted definition of cyberterrorism, it is tough to conceive of slander as a terrorist activity.

To give an illustration, if a journalist managed to unauthorisedly break into a restricted database, even one owned by a private corporation, and stumbled upon information that is defamatory in character, he would have committed an act of “cyber-terrorism.” Various kinds of information pertaining to corruption in the judiciary may be precluded from being unauthorisedly accessed on the ground that such information may be put to use for committing contempt of court. Any person who gains such access would again qualify as a cyber-terrorist. The factual situations are numerous where this provision can be put to gross misuse with the ulterior motive of muzzling dissent or freezing access to information that may be restricted in nature but nonetheless have a bearing on probity in public life etc. It is therefore imperative that this provision may be toned down as recommended above.

For more details visit https://cis-india.org/internet-governance/blog/comments-draft-rules