The Centre for Internet and Society
https://cis-india.org
These are the search results for the query, showing results 101 to 115.
CIS Para-wise Comments on Draft Reasonable Security Practices Rules, 2011
https://cis-india.org/internet-governance/blog/security-practices-rules
<b>On February 7th 2011, the Department of Information Technology, MCIT published draft rules on its website (The Information Technology (Reasonable security practices and procedures and sensitive personal information) Rules, 2011) in exercise of the powers conferred by Section 87(2)(ob), read with Section 43A of the Information Technology Act, 2000. Comments were invited from the public before February 25th 2011. Accordingly, Privacy India and Centre for Internet and Society, Bangalore have prepared the following para-wise comments for the Ministry’s consideration.</b>
<h2>A. Specific Objections</h2>
<h3>Rule 3</h3>
<blockquote>
<p>Sensitive personal data or information.— Sensitive personal data or information of a person shall include information collected, received, stored, transmitted or processed by body corporate or intermediary or any person, consisting of :</p>
<p>Password;</p>
<p>...</p>
<p>Call data records;</p>
</blockquote>
<h3>Comment</h3>
<p>We suggest that this list be expanded to include information such as sexual orientation, religion and caste. In addition, “electronic communication records” including emails, chat logs and other communications using a computer should be designated sensitive personal information.</p>
<h3>Rule 4</h3>
<blockquote>
<p>Body Corporate to provide policy for privacy and disclosure of information.— (1) The body corporate or any person who on behalf of body corporate collects, receives, possess, stores, deals or handle shall provide a privacy policy for handling of or dealing in user information including sensitive personal information and ensure that the same are available for view by such providers of information who has provided such information under lawful contract. Such policy shall provide for:</p>
<ul>
<li>
<p>Type of personal or sensitive information collected under sub-rule (ii) of rule 3;</p>
</li>
</ul>
<ul>
<li>
<p>Purpose, means and modes of usage of such information;</p>
</li>
<li>
<p>Disclosure of information as provided in rule 6</p>
</li>
</ul>
</blockquote>
<h3>Comment</h3>
<p>We recommend that the privacy policy be made available for view to all individuals to whom the information held by the body corporate pertains. Currently the privacy policy will only be disclosed to the “providers of information” who may not be the individual concerned directly.</p>
<h3>Rule 5</h3>
<p>Collection of information.—</p>
<blockquote>
<p>(1) Body corporate or any person on its behalf shall obtain consent of the provider of the information regarding purpose, means and modes of uses before collection of such information.</p>
</blockquote>
<h3>Comment</h3>
<p>We recommend the substitution of the term “individual to whom the data pertains” instead of the phrase “provider of the information”.</p>
<blockquote>
<p>(2) Body corporate or any person on its behalf shall not collect sensitive personal information unless—</p>
<p>the information is collected for a lawful purpose connected with a function or activity of the agency; and</p>
<p>the collection of the information is necessary for that purpose.</p>
</blockquote>
<h3>Comment</h3>
<p>We recommend a blanket prohibition of collection of biometric data unless a heightened security interest is demonstrated.</p>
<blockquote>
<p>(3) While collecting information directly from the individual concerned, the body corporate or any person on its behalf shall take such steps as are, in the circumstances, reasonable to ensure that the individual concerned is aware of.</p>
</blockquote>
<h3>Comment</h3>
<p>We recommend a simpler phrase like “The body corporate.. shall take reasonable steps to inform the individual concerned” instead of the current complex phrasing. Reasonableness has generally been interpreted by courts contextually. For instance, the Supreme Court has remarked, “`Reasonable’ means prima facie in law reasonable in regard to those circumstances of which the actor, called upon to act reasonably, knows or ought to know. See Gujarat Water Supply and Sewage Board v. Unique Erectors (Guj) AIR 1989 SC 973.</p>
<blockquote>
<p>(4) Body corporate or any person on its behalf holding sensitive personal information shall not keep that information for longer than is required for the purposes for which the information may lawfully be used.</p>
</blockquote>
<h3>Comment</h3>
<p>We recommend that this be converted into a mandatory obligation to delete or anonymise the information collected within a stipulated period (say 6 months) after the expiry of use for which it was collected.</p>
<blockquote>
<p>(6) Body corporate or any person on its behalf shall permit the users to review the information they had provided and modify the same, wherever necessary.</p>
</blockquote>
<h3>Comment</h3>
<p>Individuals should have the right to review and modify information pertaining to them whether or not they themselves had provided the information to the body corporate. This right should be provided to them wherever the information that pertains to them is incorrect.</p>
<blockquote>
<p>(7) Body corporate or any person on its behalf shall provide an option to the provider of the information to opt-in or opt-out.</p>
</blockquote>
<h3>Comment</h3>
<p>We recommend that the wording be changed to “individual to whom the data pertains” instead of “provider of information”.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/security-practices-rules'>https://cis-india.org/internet-governance/blog/security-practices-rules</a>
</p>
No publisherPrashant IyengarIT ActInternet Governance2012-12-14T10:32:06ZBlog EntryCIS Para-wise Comments on Cyber Café Rules, 2011
https://cis-india.org/internet-governance/blog/cyber-cafe-rules
<b>On February 7th 2011, the Department of Information Technology, MCIT published draft rules on its website (The Information Technology (Guidelines for Cyber Cafe) Rules, 2011) in exercise of the powers conferred by Section 87(2) (zg), read with Section 79(2) of the Information Technology Act, 2000. Comments were invited from the public before February 25th 2011. Accordingly, Privacy India and Centre for Internet and Society, Bangalore have prepared the following para wise comments for the Ministry’s consideration.</b>
<h2>A. General Objections</h2>
<p>These rules have no nexus with their parent provision, namely s.79(2). Section 79(1) provides for exemption from liability for intermediaries. Section 79(2) thereupon states:</p>
<blockquote>79. Intermediaries not to be liable in certain cases—<br />
<blockquote>(2) The provisions of sub-section (1) shall apply if— <br />
<blockquote>(a) the function of the intermediary is limited to providing access to a communication system over which information made available by third parties is transmitted or temporarily stored or hasted; or <br />(b) the intermediary does not— <br /></blockquote>
<blockquote>
<blockquote>(i) initiate the transmission, <br />(ii) select the receiver of the transmission, and <br />(iii) select or modify the information contained in the transmission; <br /></blockquote>
</blockquote>
<blockquote>(c) the intermediary observes due diligence while discharging his duties under this Act and also observes such other guidelines as the Central Government may prescribe in this behalf. <br /><br /></blockquote>
</blockquote>
</blockquote>
<p>Therefore, by not observing any of the provisions of the Rules, the intermediary opens itself up for liability for actions of its users. However, the provisions contained in these rules have no rational nexus with due diligence to be observed by the intermediary to absolve itself from liability for third-party actions.</p>
<p>While the government may have authority to regulate cybercafes, that regulation should not be promulgated as rules under s.79(2). Doing so would be ultra vires s.79(2) itself.</p>
<h3>Recommendation</h3>
<p>These rules should be deleted in toto.</p>
<h2>B. Specific Objections</h2>
<p>These specific objections are in addition to the above-stated general objection, and do not detract from out recommendation that these rules should be deleted in their entirety.</p>
<h3>Rule 2(c)</h3>
<blockquote>
<p>(c) “Cyber Cafe” means cyber café as defined in clause (na) of sub-section (1) of section 2 of the Act</p>
</blockquote>
<h3>Comment</h3>
<p>The Act defines a cyber cafe as meaning “any facility from where access to the internet is offered by any person in the ordinary course of business to the members of the public”. This would include internet access provided in airports, in restaurants, and in many other places where the provisions of these rules (such as those about height of partitions, etc.) just will not be practicable. Thus, this provision will have unintended consequences.</p>
<h3>Rule 3</h3>
<blockquote>Agency for issuance of license: Appropriate government will notify an agency to issue license to cyber cafes.<br /></blockquote>
<h3>Comment</h3>
<p>Rule 3 requires the issuing of a license for the establishment of a cyber café. We believe this is unwarranted since cybercafes, like most commercial establishments are already subject to registration and licensing under the “Shops and Establishments Acts” which have been enacted in all states. These Acts already specify an elaborate procedure for the application, registration and monitoring of all establishments and there is no need to multiply the levels of permission a cyber café must obtain. The current rules do not specify an application procedure, fee, and a maximum or minimum time frame within which such a license must be granted or denied nor does it specify the criterion on which such license applications will be evaluated. We think that in the absence of such legislative guidance, this provision is likely to be abused.</p>
<p>Cyber cafes in India contribute greatly to India’s increasing internet penetration and inserting a licensing regime would greatly impede access to the internet.</p>
<p>We believe that cyber cafes should be allowed to be established in the same manner as other shops and establishments, without the requirement of a special license.</p>
<h3>Rule 4(2)</h3>
<blockquote>
<p>...When an user cannot establish his/her identify to the satisfaction of the Cyber Café as per sub-rule (1), he/she may be photographed by the Cyber Café using a web camera installed on one of the computers in the Cyber Café for establishing the identity of the user.</p>
</blockquote>
<h3>Comment</h3>
<p>Sub-Rule 4 (2) Requires that if an individual is unable to establish identity, their photograph must be taken if they wish to use cyber café facilities. We believe that an individual’s photograph should be taken only as a last resort, where identity has been established.</p>
<h3>Rule 4(3)</h3>
<blockquote>
<p>Children without photo identity card shall be accompanied by an adult with any of the documents as prescribed in sub-rule (1).</p>
</blockquote>
<h3>Comment</h3>
<p>We recommend that children below 18 years should be specifically exempt from proving their identities to cyber café owners. Children are usually the quickest to adopt technology, and the requirement of possessing a valid identity might prove to be a deterrent to their developing computer skills. Likewise, being accompanied by an adult is also an onerous obligation since children’s access to the internet would depend on the availability of an adult/parent who may be too busy to accompany the child on every occasion the child wishes to access the internet or use a computer.</p>
<p>To reiterate, we feel that the current provision specially and adversely targets children from poorer classes (since they are most likely to routinely access internet through cyber cafes) and denies them the opportunity of developing their computer skills which are crucial for the growth of the “knowledge economy” that India is trying to head towards.</p>
<p>In addition, we believe that children are more susceptible to exploitation and consequently have a heightened privacy expectation which must be honoured. We recommend that the current sub-rule be deleted and replaced with a clause which specifically exempts children from proving their identity and forbids taking photographs of them under any circumstance.</p>
<h3>Rule 5(1)</h3>
<blockquote>
<p>... Log Register: After the identity of the user has been established as per sub-rule (1) of rule 4 above, the Cyber Café shall record and maintain the required information of each user in the log register for a minimum period of one year. Also, Cyber Café may maintain an online version of the log register.</p>
</blockquote>
<h3>Comment</h3>
<p>Rule 5(1) Provides a minimum period of one year that Cyber Cafes must retain their log registers. The rule does not specify the details which the log register must provide. In the interests of minimising threats to privacy, we recommend that these details recorded be confined only to the name and duration of use.</p>
<p>In addition, we believe that there should also be a coinciding mandatory deletion clause for the log register requiring details to be purged after the minimum retention period.</p>
<p> </p>
<h3>Rules 5(3)and 6(2)</h3>
<blockquote>
<p>5(3): “The cyber café owner shall be responsible for storing and maintaining following backups of logs and computer resource records for at least six months for each access or login by any user :</p>
<blockquote>
<p>· History of websites accessed using computer resource at cyber cafe</p>
<p>· Logs of proxy server installed at cyber café</p>
<p>· Mail server logs</p>
<p>· Logs of network devices such as router, switches, systems etc. installed at cyber café</p>
<p>· Logs of firewall or Intrusion Prevention/Detection systems, if installed.”</p>
</blockquote>
</blockquote>
<blockquote>
<blockquote></blockquote>
</blockquote>
<blockquote>
<p>6(2): “The screen of all computers, installed other than in Partitions or Cubicles, shall face ‘outward’, i.e. they shall face the common open space of the Cyber Café.”</p>
</blockquote>
<h3>Comment</h3>
<p>We recommend deletion of this rule since it is an unreasonable intrusion into a person’s privacy and an indirect attempt to censor content which users may wish to access. There are many uses of the internet for which a user may legitimately require privacy: For instance, patients, including HIV patients and those with mental illness, may wish to obtain information about their condition. Similarly sexuality minorities may wish to seek support or reach out to a larger community. Enforcing the architecture stipulated in this rule would discourage their access to such vital information. In addition, this architecture would make it easier for cyber crimes such as identity theft to take place since it would be easier to observe the login details of other users at the cyber café.</p>
<h3>Rule 7(1)</h3>
<blockquote>
<p>Inspection of Cyber Café : “An officer, not below the rank of Police Inspector as authorised by the licensing agency, is authorized to check or inspect cyber café and the computer resource or network established therein at any time for the compliance of these rules. The cyber café owner shall provide every related document, registers and any necessary information to the inspecting officer on demand.</p>
</blockquote>
<h3>Comment</h3>
<p>We recommend this clause be omitted since it confers unfettered and unsupervised powers on any Police Inspector to examine any cyber café premises he may choose without any restriction on time.</p>
<p>Additionally, the provisions of Shops and Establishments Acts of most states already prescribe a procedure for inspection of establishments and examination of records. The current rules merely add another layer of supervision to the existing laws without adequate safeguards.</p>
<h3>Comment</h3>
<p>Sub-Rule 5(3) holds cyber café owners responsible for the storage and maintenance of back up logs concerning the following information: history of websites, logs of proxy servers, mail server logs, logs of network devices, logs of firewalls installed. We believe that the maximum length for retention of this data should be defined and a mandatory deletion clause should be inserted requiring cyber café owners to delete these logs periodically. We further believe that access to the history of websites and mail server logs is a serious invasion of a person’s privacy, and should be omitted from the back up logs.</p>
<p>This is especially so when currently there is no requirement that cyber café owners maintain their logs under conditions of utmost secrecy and confidence.</p>
<p> </p>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/cyber-cafe-rules'>https://cis-india.org/internet-governance/blog/cyber-cafe-rules</a>
</p>
No publisherPrashant IyengarIT ActInternet Governance2012-12-14T10:32:02ZBlog EntryCIS Para-wise Comments on Intermediary Due Diligence Rules, 2011
https://cis-india.org/internet-governance/blog/intermediary-due-diligence
<b>On February 7th 2011, the Department of Information Technology, MCIT published draft rules on its website (The Information Technology (Due diligence observed by intermediaries guidelines) Rules, 2011) in exercise of the powers conferred by Section 87(2)(zg), read with Section 79(2) of the Information Technology Act, 2000. Comments were invited from the public before February 25th 2011. Accordingly, Privacy India and Centre for Internet and Society, Bangalore have prepared the following para-wise comments for the Ministry’s consideration.</b>
<h2>A. General Objections</h2>
<p>A number of the provisions under these Rules have no nexus with their parent provision, namely s.79(2). Section 79(1) provides for exemption from liability for intermediaries. Section 79(2) thereupon states:</p>
<blockquote></blockquote>
<blockquote>
<p>79. Intermediaries not to be liable in certain cases—</p>
<blockquote>
<p>(2) The provisions of sub-section (1) shall apply if—</p>
<blockquote>
<blockquote></blockquote>
</blockquote>
<blockquote>
<p>(a) the function of the intermediary is limited to providing access to a communication system over which information made available by third parties is transmitted or temporarily stored or hasted; or</p>
<p>(b) the intermediary does not—</p>
<blockquote>
<p>(i) initiate the transmission,</p>
<p>(ii) select the receiver of the transmission, and</p>
<p>(iii) select or modify the information contained in the transmission;</p>
</blockquote>
<blockquote>
<blockquote></blockquote>
</blockquote>
<p>(c) the intermediary observes due diligence while discharging his duties under this Act and also observes such other guidelines as the Central Government may prescribe in this behalf.</p>
</blockquote>
</blockquote>
</blockquote>
<blockquote></blockquote>
<p> </p>
<p>Therefore, by not observing any of the provisions of the Rules, the intermediary opens itself up for liability for actions of its users. However, many of the provisions of the Rules have no rational nexus with due diligence to be observed by the intermediary to absolve itself from liability.</p>
<h2>B. Specific Objections</h2>
<h3>Rule 2(b), (c), and (k)</h3>
<blockquote></blockquote>
<blockquote></blockquote>
<blockquote>
<p>(b) “Blog” means a type of website, usually maintained by an individual with regular entries of commentary, descriptions of events, or other material such as graphics or video. Usually blog is a shared on-line journal where users can post diary entries about their personal experiences and hobbies;</p>
</blockquote>
<blockquote></blockquote>
<blockquote>
<p>(c) “Blogger” means a person who keeps and updates a blog;</p>
</blockquote>
<blockquote>
<p>(k) “User” means any person including blogger who uses any computer resource for the purpose of sharing information, views or otherwise and includes other persons jointly participating in using the computer resource of intermediary</p>
</blockquote>
<blockquote></blockquote>
<h3><strong>Comments</strong></h3>
<p> It is unclear why it is necessary to specifically target bloggers as users, leaving out other users such as blog commenters, social network users, microbloggers, podcasters, etc. It makes the rules technologically non-neutral.</p>
<h3><strong>Recommendation</strong></h3>
<p>We recommend that these 3 sub-rules be deleted.</p>
<h3> Rule 3(2)</h3>
<blockquote></blockquote>
<blockquote>
<p>3. <strong>Due Diligence observed by intermediary</strong>.— The intermediary shall observe following due diligence while discharging its duties.</p>
<blockquote>
<p>(2) The intermediary shall notify users of computer resource not to use, display, upload, modify, publish, transmit, update, share or store any information that : —</p>
<blockquote>
<p>(a) belongs to another person;</p>
<p>(b) is harmful, threatening, abusive, harassing, blasphemous, objectionable, defamatory, vulgar, obscene, pornographic, paedophilic, libellous, invasive of another’s privacy, hateful, or racially, ethnically or otherwise objectionable, disparaging, relating or encouraging money laundering or gambling, or otherwise unlawful in any manner whatever;</p>
<p>(c) harm minors in any way;</p>
<p>(d) infringes any patent, trademark, copyright or other proprietary rights;</p>
<p>(e) violates any law for the time being in force;</p>
<p>(f) discloses sensitive personal information of other person or to which the user does not have any right to;</p>
<p>(g) causes annoyance or inconvenience or deceives or misleads the addressee about the origin of such messages or communicates any information which is grossly offensive or menacing in nature;</p>
<p>(h) impersonate another person;</p>
<p>(i) contains software viruses or any other computer code, files or programs designed to interrupt, destroy or limit the functionality of any computer resource;</p>
<p>(j) threatens the unity, integrity, defence, security or sovereignty of India, friendly relations with foreign states, or or public order or causes incitement to the commission of any cognizable offence or prevents investigation of any offence or is insulting any other nation.</p>
</blockquote>
</blockquote>
</blockquote>
<blockquote>
<blockquote></blockquote>
</blockquote>
<h3><strong>Comments</strong></h3>
<p>Firstly, such ‘standard’ terms of use [1] might make sense for one intermediary, but not for all. For instance, an intermediary such as site with user-generated content (e.g., Wikipedia) would need different terms of use from an intermediary such as an e-mail provider (e.g., Hotmail), because the kind of liability they accrue are different. This is similar to how the liability that a newspaper publisher accrues is different from that accrued by the post office. However, forcing standard terms of use negates this difference. Thus, these are impractical.</p>
<p>Secondly, read with the legal obligation of the intermediary to remove such information (contained in rule 3(3)), they vest an extraordinary power of censorship in the hands of the intermediary, which could easily lead to the stifling of the constitutionally guaranteed freedom of speech online. Analogous restrictions do not exist in other fields, e.g., against the press in India or against courier companies, and there is no justification to impose them on content posted online. Taken together, these provisions make it impossible to publish critical views about anything without the risk of being summarily censored.</p>
<p>Thirdly, while it is possible to apply Indian law to intermediaries, it is impracticable to require all intermediaries (whether in India or not) to have in their terms of use India-specific clauses such as rule 3(2)(j). Instead, it is better to merely require them to ask their users to follow all relevant laws.</p>
<p>Individual instances of how these rules are overly broad are contained in an appendix to this submission.</p>
<h3><strong>Recommendation</strong></h3>
<p>We strongly recommend the deletion of this sub-rule, except clause (e).</p>
<h3>Rule 3(3)</h3>
<blockquote>
<p>(3) The intermediary shall not itself host or publish or edit or store any information or shall not initiate the transmission, select the receiver of transmission, and select or modify the information contained in the transmission as specified in sub-rule (2).</p>
</blockquote>
<h3><strong>Comments</strong></h3>
<p>This sub-rule is ultra vires s.79 of the IT Act, which does not require intermediaries not to “host or publish or edit or store any information”. If fact, s.79(2) merely states that by violating the provisions of s.79(2), the intermediary loses the protection of s.79(1). It does not however make it unlawful to violate s.79(2), as rule 3(3) does. This makes rule 3(3) ultra vires the Act.</p>
<h3><strong>Recommendation</strong></h3>
<p>This sub-rule should be deleted.</p>
<h3><strong>Rule 3(4)</strong></h3>
<blockquote>
<p>(4) The intermediary upon obtaining actual knowledge by itself or been brought to actual knowledge by an authority mandated under the law for the time being in force in writing or through email signed with electronic signature about any such information as mentioned in sub-rule (2) above, shall act expeditiously to work with user or owner of such information to remove access to such information that is claimed to be infringing or to be the subject of infringing activity. Further the intermediary shall inform the police about such information and preserve the records for 90 days</p>
</blockquote>
<h3><strong>Comments</strong></h3>
<p>This rule is also ultra vires s.69A of the IT Act as well as the Constitution of India. Section 69A states all the grounds on which an intermediary may be required to restrict access to information [2]. It does not allow for expansion of those grounds, because it has been carefully worded to maintains its constitutional validity vis-a-vis Articles 19(1)(a) and 19(2) of the Constitution of India. The rules framed under s.69A prescribe an elaborate procedure before such censorship may be ordered. The rules under s.69A will be rendered nugatory if any person could get content removed or blocked under s.79(2).<strong><br /></strong></p>
<p>This rule requires an intermediary to immediately take steps to remove access to information merely upon receiving a written request from “any authority mandated under the law”. Thus, for example, any authority can easily immunize itself from criticism on the internet by simply sending a written notice to the intermediary concerned. This is directly contrary to, and completely subverts the legislative intent expressed in Section 69B which lays down an elaborate procedure to be followed before any information can be lawfully blocked.</p>
<p>If any person is aggrieved by information posted online, they may seek their remedies—including the relief of injunction—from courts of law, under generally applicable civil and criminal law. Inserting a rule such as this one would take away the powers of the judiciary in India to define the line dividing permissible and impermissible speech, and vest it instead in the whims of each intermediary. This can only have a chilling effect on debates in the public domain (of which the Internet is a part) which is the foundation of any democracy.</p>
<h3><strong>Recommendation</strong></h3>
<p>This rule should modified so that an intermediary is obliged to take steps towards removal of content only when (a) backed by an order from a court or (b) a direction issued following the procedure prescribed by the rules framed under Section 69A.</p>
<h3>Rule 3(5) & (7) & (8) & (10)</h3>
<blockquote></blockquote>
<blockquote>
<p>(5) The Intermediary shall inform its users that in case of non-compliance with terms of use of the services and privacy policy provided by the Intermediary, the Intermediary has the right to immediately terminate the access rights of the users to the site of Intermediary;</p>
<p>(7) The intermediary shall not disclose sensitive personal information;</p>
<p>(8) Disclosure of information by intermediary to any third party shall require prior permission or consent from the provider of such information, who has provided such information under lawful contract or otherwise;</p>
<p>(10) The information collected by the intermediary shall be used for the purpose for which it has been collected.</p>
</blockquote>
<blockquote></blockquote>
<h3><strong>Comments</strong></h3>
<p>These sub-rules have no nexus with intermediary liability or non-liability under s.79(2). For instance, it is unreasonable to say that an intermediary may be held liable for the actions of its users if it does not inform its users about its right to terminate access by the user to its services. Furthermore, not all intermediaries need be websites, as sub-rule 5 assumes. An intermediary can even be an “internet service provider” or a “cyber cafe” or a “telecom service provider”, as per rule 2(j) read with s.2(1)(w) of the IT Act.</p>
<p>The requirements under sub-rules (7), (8), and (10) are rightfully the domain of s.43A and the rules made thereunder, and not s.79(2) nor these rules.</p>
<h3><strong>Recommendation</strong></h3>
<p>These sub-rules should be deleted, and sub-rules (7), (8), and (10) may placed instead in the rules made under s.43A.</p>
<h3>Rule 3(9)</h3>
<blockquote>
<p>(9) Intermediary shall provide information to government agencies who are lawfully authorised for investigative, protective, cyber security or intelligence activity. The information shall be provided for the purpose of verification of identity, or for prevention, detection, investigation, prosecution, cyber security incidents and punishment of offences under any law for the time being in force, on a written request stating clearly the purpose of seeking such information.</p>
</blockquote>
<h3><strong>Comments</strong></h3>
<p>This provision is ultra vires ss.69 and 69B. Rules have already been issued under ss.69 and 69B which stipulate the mechanism and procedure to be followed by the government for interception, monitoring or decrypting information in the hands of intermediaries. Thus under the Interception Rules 2009 framed under Section 69, permission must first be obtained from a “competent authority” before an intermediary can be directed to provide access to its records and facilities. The current rule completely removes the safeguards contained in s.69 and its rules, and would make intermediaries answerable to virtually any request from any government agency. This is contrary to the legislative intent expressed in Section 69.</p>
<h3><strong>Recommendation</strong></h3>
<p>We recommend this sub-rule be deleted.</p>
<h3><strong>Rule 3(12)</strong></h3>
<blockquote>
<p>(12) The intermediary shall report cyber security incidents and also share cyber security incidents related information with the Indian Computer Emergency Response Team.</p>
</blockquote>
<h3><strong>Comments</strong></h3>
<p>The rules relating to how and when the Indian Computer Emergency Response Team may request for information from intermediaries is rightfully the subject matter of s.70B(5) [3] and the rules made thereunder by virtue of the rule making power granted by s.87(2)(yd). The subject matter of rule 3(12) is not liability of intermediaries for third-party actions, hence there is no nexus between the rule-making power, and the rule.</p>
<h3><strong>Recommendations</strong></h3>
<p>We recommend that this sub-rule be deleted.</p>
<h3>Rule 3(14)</h3>
<blockquote>
<p>(14) The intermediary shall publish on its website the designated agent to receive notification of claimed infringements.</p>
</blockquote>
<h3><strong>Comments</strong></h3>
<p>It is unclear what “infringements” are being referred to in this sub-rule. Neither s.79 nor these rules provide for “infringements”. The same reasoning applied for rule 3(4) would also apply here. It would be better to require the intermediary to publish on its website a method of providing judicial notice.</p>
<h3><strong>Recommendations</strong></h3>
<p>Delete, and replace with a requirement for the intermediary to publish on its website a method of providing judicial notice.<strong><br /></strong></p>
<h2>Footnotes <br /></h2>
<ol><li>
<p>For instance, the Section B(1) of the World of Warcraft Code of Conduct “When engaging in Chat, you may not: (i) Transmit or post any content or language which, in the sole and absolute discretion of Blizzard, is deemed to be offensive, including without limitation content or language that is unlawful, harmful, threatening, abusive, harassing, defamatory, vulgar, obscene, hateful, sexually explicit, or racially, ethnically or otherwise objectionable.</p>
</li><li>
<p>It is only “in the interest of sovereignty and integrity of India. defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above” that intermediaries may be issued directions to block access to information.</p>
</li><li>
<p>70B(5) sates that the The manner of performing functions and duties of the agency referred to in sub-section (1) shall be such as may be prescribed.</p>
</li></ol>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/intermediary-due-diligence'>https://cis-india.org/internet-governance/blog/intermediary-due-diligence</a>
</p>
No publisherpraneshFreedom of Speech and ExpressionIT ActIntermediary Liability2012-07-11T10:27:26ZBlog EntryRTI Applications on Blocking of Websites
https://cis-india.org/internet-governance/blog/rtis-on-website-blocking
<b>In recent weeks, an increasing number of incidents have come to light on government-ordered blocking of websites. In one case involving Zone-H.org, it is clear who has ordered the block (a Delhi district court judge, as an interim order), even though the block itself is open to constitutional challenge. In all others cases, including the TypePad case, it is unclear who has ordered the block and why. We at CIS have sent in two right to information requests to find out.</b>
<p>While under the law (i.e., s.69A of the Information Technology Act), the Department of Information Technology (DIT) has the power to order blocks (via the 'Designated Officer'), in some cases it has been noted that the ISPs have noted that the order to block access to the websites have come from the Department of Telecom (DoT). Due to this, we have sent in RTI applications to both the DIT and the DoT.</p>
<h2>RTI Application to Department of Information Technology<br /></h2>
<p align="JUSTIFY">To</p>
<p align="JUSTIFY">Shri
B.B.Bahl,<br />Joint
Director and PIO (RTI)<br />Office
of PIO (RTI)<br />Room
No 1016, Electronics Niketan<br />Department
of Information Technology (DIT)<br />Ministry
of Communications and Information Technology<br />6,
CGO Complex, New Delhi</p>
<p align="JUSTIFY"> </p>
<p align="JUSTIFY">Dear
Sir, </p>
<p align="JUSTIFY"><strong>Subject:
Information on Website Blocking Requested under the Right to
Information Act, 2005 </strong></p>
<p align="JUSTIFY"><strong>1.
Full Name of the Applicant:</strong><br />Pranesh
Prakash </p>
<p align="JUSTIFY"><strong>2.
Address of the Applicant:</strong><br />E-mail
Address:<br />pranesh[at]cis-india.org
</p>
<p align="JUSTIFY">Mailing
Address:<br />Centre
for Internet and Society<br />194,
2-C Cross,<br />Domlur
Stage II,<br />Bangalore
– 560071 </p>
<p align="JUSTIFY"><strong>3.
Details of the information required</strong>:</p>
<p align="JUSTIFY">It
has come to our attention that Airtel Broadband Services (“Airtel”)
has recently blocked access to a blog host called TypePad
(http://www.typepad.com) (“TypePad”) for all its users across the
country. In this regard, we request information on the following
queries under Section 6(1) of the Right to Information Act, 2005:</p>
<ol type="i"><li>
<p align="JUSTIFY">Did
the Department order Airtel to block TypePad under s.69A of the
Information Technology Act (“IT Act”), 2000 read with the
Information Technology (Procedures and Safeguards for Blocking
Access of Information by Public) Rules, 2009 (“Rules”) or any
other law for the time being in force? If so, please provide a copy
of such order or orders. If not, what action, if at all, has been
taken by the Department against Airtel for blocking of websites in
contravention of s.69A of the IT Act?</p>
</li><li>
<p align="JUSTIFY">Has
the Department ever ordered a block under s.69A of the IT Act? If
so, what was the information that was ordered to be blocked?</p>
</li><li>
<p align="JUSTIFY">How
many requests for blocking of information has the Designated Officer
received, and how many of those requests have been accepted and how
many rejected? How many of those requests were for emergency
blocking under Rule 9 of the Rules?</p>
</li><li>
<p align="JUSTIFY">Please
provide use the present composition of the Committee for Examination
of Requests constituted under Rule 7 of the Rules.</p>
</li><li>
<p align="JUSTIFY">Please
provide us the dates and copies of the minutes of all meetings held
by the Committee for Examination of Requests under Rule 8(4) of the
Rules, and copies of their recommendations.</p>
</li><li>
<p align="JUSTIFY">Please
provide us the present composition of the Review Committee
constituted under rule 419A of the Indian Telegraph Rules, 1951.</p>
</li><li>
<p align="JUSTIFY">Please
provide us the dates and copies of the minutes of all meetings held
by the Review Committee under Rule 14 of the Rules, and copies of
all orders issued by the Review Committee.</p>
</li></ol>
<p align="JUSTIFY"><strong>4.
Years to which the above requests pertain:</strong><br />2008-2011</p>
<strong>5.
Designation and Address of the PIO from whom the information is
required: </strong>
<p align="JUSTIFY">Shri
B.B.Bahl,<br />Joint
Director and PIO (RTI)<br />Office
of PIO (RTI)<br />Room
No 1016, Electronics Niketan<br />Department
of Information Technology (DIT)<br />Ministry
of Communications and Information Technology<br />6,
CGO Complex, New Delhi</p>
<p>To
the best of my belief, the details sought for fall within your
authority. Further, as provided under section 6(3) of the Right to
Information Act (“RTI Act”), in case this application does not
fall within your authority, I request you to transfer the same in the
designated time (5 days) to the concerned authority and inform me of
the same immediately.</p>
<p>To
the best of my knowledge the information sought does not fall within
the restrictions contained in section 8 and 9 of the RTI Act, and any
provision protecting such information in any other law for the time
being in force is inapplicable due to section 22 of the RTI Act.<br /></p>
<p>Please
provide me this information in electronic form, via the e-mail
address provided above.</p>
<p>This
to certify that I, Pranesh Prakash, am a citizen of India.</p>
<p>A
fee of Rs. 10/- (Rupees Ten Only) has been made out in the form of a
demand draft drawn in favour of “Pay and Accounts Officer,
Department of Information Technology” payable at New Delhi.</p>
<p align="JUSTIFY"><br /></p>
<p align="JUSTIFY">Date:
Monday, February 28, 2011<br />Place:
Bengaluru, Karnataka</p>
<br />(Pranesh
Prakash)
<p align="JUSTIFY"> </p>
<h2>RTI Application to Department of Telecom</h2>
<p align="JUSTIFY">To</p>
<p align="JUSTIFY">Shri
Subodh Saxena<br />Central
Public Information Officer (RTI)<br />Director
(DS-II)<br />Room
No 1006, Sanchar Bhawan<br />Department
of Telecommunications (DoT)<br />Ministry
of Communications and Information Technology<br />20,
Ashoka Road, New Delhi — 110001</p>
<p align="JUSTIFY"> </p>
<p align="JUSTIFY">Dear
Sir, </p>
<p align="JUSTIFY"><strong>Subject:
Information on Website Blocking Requested under the Right to
Information Act, 2005 </strong></p>
<p align="JUSTIFY"><strong>1.
Full Name of the Applicant:</strong><br />Pranesh
Prakash </p>
<p align="JUSTIFY"><strong>2.
Address of the Applicant:</strong><br />E-mail
Address:<br />pranesh[at]cis-india.org
</p>
<p align="JUSTIFY">Mailing
Address:<br />Centre
for Internet and Society<br />194,
2-C Cross,<br />Domlur
Stage II,<br />Bangalore
– 560071 </p>
<p align="JUSTIFY"><strong>3.
Details of the information required</strong>:</p>
<p align="JUSTIFY">It
has come to our attention that Airtel Broadband Services (“Airtel”)
has recently blocked access to a blog host called TypePad
(http://www.typepad.com) (“TypePad”) for all its users across the
country. Airtel subscribers trying to access this website receive a
message noting “This site has been blocked as per request by
Department of Telecom”. In this regard, we request information on
the following queries under Section 6(1) of the Right to Information
Act, 2005:</p>
<ol type="i"><li>
<p align="JUSTIFY">Does
the Department have powers to require an Internet Service Provider
to block a website? If so, please provide a citation of the statute
under which power is granted to the Department, as well as the the
safeguards prescribed to be in accordance with Article 19(1)(a) of
the Constitution of India.</p>
</li><li>
<p align="JUSTIFY">Did
the Department order Airtel to block TypePad or any blog hosted by
TypePad? If so, please provide a copy of such order or orders. If
not, what action, if at all, has been taken by the Department
against Airtel for blocking of websites?</p>
</li><li>
<p align="JUSTIFY">Has
the Department ever ordered the blocking of any website? If so,
please provide a list of addresses of all the websites that have
been ordered to be blocked.</p>
</li><li>
<p align="JUSTIFY">Please
provide use the present composition of the Committee constituted
under rule 419A of the Indian Telegraph Rules, 1951. </p>
</li><li>
<p align="JUSTIFY">Please
provide us the dates and copies of the minutes of all meetings held
by the Committee constituted under rule 419A of the Indian Telegraph
Rules, 1951, and copies of all their recommendations.</p>
</li></ol>
<p align="JUSTIFY"><strong>4.
Years to which the above requests pertain:</strong><br />2005-2011</p>
<p><strong>5.
Designation and Address of the PIO from whom the information is
required:</strong><br />Shri
Subodh Saxena<br />Central
Public Information Officer (RTI)<br />Director
(DS-II)<br />Room
No 1006, Sanchar Bhawan<br />Department
of Telecommunications (DoT)<br />Ministry
of Communications and Information Technology<br />20,
Ashoka Road, New Delhi — 110001</p>
<div style="text-align: justify;" class="visualClear"> </div>
<p>To
the best of my belief, the details sought for fall within your
authority. Further, as provided under section 6(3) of the Right to
Information Act (“RTI Act”), in case this application does not
fall within your authority, I request you to transfer the same in the
designated time (5 days) to the concerned authority and inform me of
the same immediately. </p>
<p>To
the best of my knowledge the information sought does not fall within
the restrictions contained in section 8 and 9 of the RTI Act, and any
provision protecting such information in any other law for the time
being in force is inapplicable due to section 22 of the RTI Act.</p>
<p>Please
provide me this information in electronic form, via the e-mail
address provided above.</p>
<p>This
to certify that I, Pranesh Prakash, am a citizen of India. </p>
<p>A
fee of Rs. 10/- (Rupees Ten Only) has been made out in the form of a
demand draft drawn in favour of “Pay and Accounts Officer (HQ),
Department of Telecom” payable at New Delhi.</p>
<p align="JUSTIFY"> </p>
<p align="JUSTIFY">Date:
Monday, February 28, 2011<br />Place:
Bengaluru, Karnataka</p>
<p align="JUSTIFY"> <br />(Pranesh
Prakash)</p>
<p align="JUSTIFY"> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/rtis-on-website-blocking'>https://cis-india.org/internet-governance/blog/rtis-on-website-blocking</a>
</p>
No publisherpraneshFreedom of Speech and ExpressionIT ActRTIPublic Accountability2012-12-21T06:34:27ZBlog EntryComments on the Draft Rules under the Information Technology Act
https://cis-india.org/internet-governance/blog/comments-draft-rules
<b>The Centre for Internet and Society commissioned an advocate, Ananth Padmanabhan, to produce a comment on the Draft Rules that have been published by the government under the Information Technology Act. In his comments, Mr. Padmanabhan highlights the problems with each of the rules and presents specific recommendations on how they can be improved. These comments were sent to the Department of Information and Technology.</b>
<h2><em>Comments on the Draft Rules under the Information Technology Act as Amended by the Information Technology (Amendment) Act, 2008</em></h2>
<p><em><strong>Submitted by the Centre for Internet and Society, Bangalore</strong></em></p>
<p><em><strong>Prepared by Ananth Padmanabhan, Advocate in the Madras High Court</strong></em></p>
<h2>Interception, Monitoring and Decryption</h2>
<h3>Section 69</h3>
<p>The section says:</p>
<ol><li>Where the Central Government or a State Government or any of its officer specially authorised by the Central Government or the State Government, as the case may be, in this behalf may, if satisfied that it is necessary or expedient so to do in the interest of the sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence, it may subject to the provisions of sub-section (2), for reasons to be recorded in writing, by order, direct any agency of the appropriate Government to intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any information generated, transmitted, received or stored in any computer resource. </li><li>The procedure and safeguards subject to which such interception or monitoring or decryption may be carried out, shall be such as may be prescribed.</li><li>The subscriber or intermediary or any person in-charge of the computer resource shall, when called upon by any agency referred to in sub-section (1), extend all facilities and technical assistance to-</li></ol>
<p> (a) provide access to or secure access to the computer resource
generating transmitting, receiving or storing such information; or</p>
<p>
(b) intercept, monitor, or decrypt the information, as the case may be; or</p>
(c) provide information stored in computer resource.
<ol><li>The subscriber or intermediary or any person who fails to assist the agency referred to in sub-section (3) shall be punished with imprisonment for a term which may extend to seven years and shall also be liable to fine. <br /></li></ol>
<p><strong><br /></strong></p>
<p><strong>Recommendation #1</strong><br />Section 69(3) should be amended and the following proviso be inserted:</p>
<p class="callout">Provided that only those intermediaries with respect to any information or computer resource that is sought to be monitored, intercepted or decrypted, shall be subject to the obligations contained in this sub-section, who are, in the opinion of the appropriate authority, prima facie in control of such transmission of the information or computer resource. The nexus between the intermediary and the information or the computer resource that is sought to be intercepted, monitored or decrypted should be clearly indicated in the direction referred to in sub-section (1) of this section.</p>
<p><br /><strong>Reasons for the Recommendation </strong><br />In the case of any information or computer resource, there may be more than one intermediary who is associated with such information. This is because “intermediary” is defined in section 2(w) of the amended Act as,</p>
<p class="callout">“with respect to any electronic record means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record, including telecom service providers, network service providers, internet service providers, webhosting service providers, search engines, online payment sites, online-auction sites, online-market places and cyber cafes”. </p>
<p><br />The State or Central Government should not be given wide-ranging powers to enforce cooperation on the part of any such intermediary without there being a clear nexus between the information that is sought to be decrypted or monitored by the competent authority, and the control that any particular intermediary may have over such information.</p>
<p>To give an illustration, merely because some information may have been posted on an online portal, the computer resources in the office of the portal should not be monitored unless the portal has some concrete control over the nature of information posted in it. This has to be stipulated in the order of the Central or State Government which authorizes interception of the intermediary. </p>
<p><br /><strong>Recommendation #2</strong><br />Section 69(4) should be repealed.</p>
<p><br /><strong>Reasons for the Recommendation</strong><br />The closest parallels to Section 69 of the Act are the provisions in the Telegraph Rules which were brought in after the decision in PUCL v. Union of India, (1997) 1 SCC 301, famously known as the telephone tapping case.</p>
<p>Section 69(4) fixes tremendous liability on the intermediary for non-cooperation. This is violative of Article 14. Similar provisions in the Indian Penal Code and Code of Criminal Procedure, which demand cooperation from members of the public as regards production of documents, letters etc., and impose punishment for non-cooperation on their part, impose a maximum punishment of one month. It is bewildering why the punishment is 7 years imprisonment for an intermediary, when the only point of distinction between an intermediary under the IT Act and a member of the public under the IPC and CrPC is the difference in the media which contains the information.</p>
<p>Section 69(3) is akin to the duty cast upon members of the public to extend cooperation under Section 39 of the Code of Criminal Procedure by way of providing information as to commission of any offence, or the duty, when a summons is issued by the Court or the police, to produce documents under Sections 91 and 92 of the Code of Criminal Procedure. The maximum punishment for non-cooperation prescribed by the Indian Penal Code for omission to cooperate or wilful breach of summons is only a month under Sections 175 and 176 of the Indian Penal Code. Even the maximum punishment for furnishing false information to the police is only six months under Section 177 of the IPC. When this is the case with production of documents required for the purpose of trial or inquiry, it is wholly arbitrary to impose a punishment of six years in the case of intermediaries who do not extend cooperation for providing access to a computer resource which is merely apprehended as being a threat to national security etc. A mere apprehension, however reasonable it may be, should not be used to pin down a liability of such extreme nature on the intermediary.</p>
<p>This would also amount to a violation of Articles 19(1)(a) as well as 19(1)(g) of the Constitution, not to mention Article 20(3). To give an example, much of the information received from confidential sources by members of the press would be stored in computer resources. By coercing them, through the 7 year imprisonment threat, to allow access to this computer resource and thereby part with this information, the State is directly infringing on their right under Article 19(1)(a). Furthermore, if the “subscriber” is the accused, then section 69(4) goes against Article 20(3) by forcing the accused to bear witness against himself.</p>
<p> </p>
<h3>Draft Rules under Section 69 <br /></h3>
<p><strong>Rule 3</strong><br />Directions for interception or monitoring or decryption of any information generated, transmitted, received or stored in any computer resource under sub- section (2) of section 69 of the Information Technology (Amendment) Act, 2008 (hereinafter referred to as the said Act) shall not be issued except by an order made by the concerned competent authority who is Union Home Secretary in case of Government of India; the Secretary in-charge of Home Department in a State Government or Union Territory as the case may be. In unavoidable circumstances, such order may be made by an officer, not below the rank of a Joint Secretary to the Government of India, who has been duly authorised by the Union Home Secretary or by an officer equivalent to rank of Joint Secretary to Government of India duly authorised by the Secretary in-charge of Home Department in the State Government or Union Territory, as the case may be:</p>
<p>Provided that in emergency cases – <br />(i) in remote areas, where obtaining of prior directions for interception or monitoring or decryption of information is not feasible; or <br />(ii) for operational reasons, where obtaining of prior directions for interception or monitoring or decryption of any information generated, transmitted, received or stored in any computer resource is not feasible;</p>
<p>the required interception or monitoring or decryption of any information generated, transmitted, received or stored in any computer resource shall be carried out with the prior approval of the Head or the second senior most officer of the Security and Law Enforcement Agencies (hereinafter referred to as the said Security Agencies) at the Central Level and the officers authorised in this behalf, not below the rank of Inspector General of Police or an officer of equivalent rank, at the State and Union Territory level. The concerned competent authority, however, shall be informed of such interceptions or monitoring or decryption by the approving authority within three working days and that such interceptions or monitoring or decryption shall be got confirmed by the concerned competent authority within a period of seven working days. If the confirmation from the concerned competent authority is not received within the stipulated seven working days, such interception or monitoring or decryption shall cease and the same information shall not be intercepted or monitored or decrypted thereafter without the prior approval of the concerned competent authority, as the case may be. </p>
<p><br /><strong>Recommendation #3</strong><br />In Rule 3, the following proviso may be inserted:</p>
<p class="callout">“Provided that in the event of cooperation by any intermediary being required for the purpose of interception, monitoring or decryption of such information as is referred to in this Rule, prior permission from a Supervisory Committee headed by a retired Judge of the Supreme Court or the High Courts shall be obtained before seeking to enforce the Order mentioned in this Rule against such intermediary.”</p>
<p><strong><br /></strong></p>
<p><strong>Reasons for the Recommendation </strong><br />Section 69 and the draft rules suffer from absence of essential procedural safeguards. This has come in due to the blanket emulation of the Telegraph Rules. Additional safeguards should have been prescribed to ensure that the intermediary is put to minimum hardship when carrying on the monitoring or being granted access to a computer resource. Those are akin to a raid, in the sense that it can stop an online e-commerce portal from carrying out operations for a day or even more, thus affecting their revenue. It is therefore recommended that in any situation where cooperation from the intermediary is sought, prior judicial approval has to be taken. The Central or State Government cannot be the sole authority in such cases.</p>
<p>Furthermore, since access to the computer resource is required, an executive order should not suffice, and a search warrant or an equivalent which results from a judicial application of the mind (by the Supervisory Committee, for instance) should be required.</p>
<p><br /><strong>Recommendation #4</strong><br />The following should be inserted after the last line in Rule 22:</p>
<p class="callout">The Review Committee shall also have the power to award compensation to the intermediary in cases where the intermediary has suffered loss or damage due to the actions of the competent authority while implementing the order issued under Rule 3.</p>
<p><strong><br /></strong></p>
<p><strong>Reasons for the Recommendation</strong><br />The Review Committee should be given the power to award compensation to the loss suffered by the intermediary in cases where the police use equipment or software for monitoring/decryption that causes damage to the intermediary’s computer resources / networks. The Review Committee should also be given the power to award compensation in the case of monitoring directions which are later found to be frivolous or even worse, borne out of mala fide considerations. These provisions will act as a disincentive against the abuse of power contained in Section 69. </p>
<p> </p>
<h2>Blocking of Access to Information</h2>
<h3>Section 69A</h3>
<p>The section provides for blocking of websites if the government is satisfied that it is in the interests of the purposes enlisted in the section. It also provides for penalty of up to seven years for intermediaries who fail to comply with the directions under this section. <br />The rules under this section describe the procedure which have to be followed barring which the review committee may, after due examination of the procedural defects, order an unblocking of the website.</p>
<p> </p>
<p><strong>Section 69A(3)</strong><br />The intermediary who fails to comply with the direction issued under sub-section (1) shall be punished with an imprisonment for a term which may extend to seven years and also be liable to fine.</p>
<p> </p>
<p><strong>Recommendation #5</strong><br />The penalty for intermediaries must be lessened.</p>
<p> </p>
<p><strong>Reasons for Recommendations </strong><br />The penal provision in this section which prescribes up to seven years imprisonment and a fine on an intermediary who fails to comply with the directions so issued is also excessively harsh. Considering the fact that various mechanisms are available to escape the blocking of websites, the intermediaries must be given enough time and space to administer the block effectively and strict application of the penal provisions must be avoided in bona fide cases.</p>
<p>The criticism about Section 69 and the draft rules in so far as intermediary liability is concerned, will also apply mutatis mutandis to these rules as well as Section 69A.</p>
<p> </p>
<h3>Draft Rules under Section 69A</h3>
<p><strong>Rule 22: Review Committee</strong><br />The Review Committee shall meet at least once in two months and record its findings whether the directions issued under Rule (16) are in accordance with the provisions of sub-section (2) of section 69A of the Act. When the Review Committee is of the opinion that the directions are not in accordance with the provisions referred to above, it may set aside the directions and order for unblocking of said information generated, transmitted, received, stored or hosted in a computer resource for public access.</p>
<p><br /><strong>Recommendation #6</strong><br />A permanent Review Committee should be specially for the purposes of examining procedural lapses. </p>
<p><br /><strong>Reasons for Recommendation </strong><br />Rule 22 provides for a review committee which shall meet a minimum of once in every two months and order for the unblocking of a site of due procedures have not been followed. This would mean that if a site is blocked, there could take up to two months for a procedural lapse to be corrected and it to be unblocked. Even a writ filed against the policing agencies for unfair blocking would probably take around the same time. Also, it could well be the case that the review committee will be overborne by cases and may fall short of time to inquire into each. Therefore, it is recommended that a permanent Review Committee be set up which will monitor procedural lapses and ensure that there is no blocking in the first place before all the due procedural requirements are met. <br /><br /></p>
<h2>Monitoring and Collection of Traffic Data</h2>
<h3>Draft Rules under Section 69B</h3>
<p>The section provides for monitoring of computer networks or resources if the Central Government is satisfied that conditions so mentioned are satisfied.</p>
<p>The rules provide for the manner in which the monitoring will be done, the process by which the directions for the same will be issued and the liabilities of the intermediaries and monitoring officers with respect to confidentiality of the information so monitored.</p>
<p><br /><strong>Grounds for Monitoring </strong><br /><strong>Rule 4</strong><br />The competent authority may issue directions for monitoring and collection of traffic data or information generated, transmitted, received or stored in any computer resource for any or all of the following purposes related to cyber security:<br />(a) forecasting of imminent cyber incidents;<br />(b) monitoring network application with traffic data or information on computer resource;<br />(c) identification and determination of viruses/computer contaminant;<br />(d) tracking cyber security breaches or cyber security incidents;<br />(e) tracking computer resource breaching cyber security or spreading virus/computer contaminants;<br />(f) identifying or tracking of any person who has contravened, or is suspected of having contravened or being likely to contravene cyber security;<br />(g) undertaking forensic of the concerned computer resource as a part of investigation or internal audit of information security practices in the computer resource;<br />(h) accessing a stored information for enforcement of any provisions of the laws relating to cyber security for the time being in force;<br />(i) any other matter relating to cyber security.</p>
<p><br /><strong>Rule 6</strong><br />No direction for monitoring and collection of traffic data or information generated, transmitted, received or stored in any computer resource shall be given for purposes other than those specified in Rule (4).</p>
<p><br /><strong>Recommendation #7</strong><br />Clauses (a), (b), (c), and (i) of Rule 4 must be repealed.</p>
<p><br /><strong>Reasons for Recommendations </strong><br />The term “cyber incident” has not been defined, and “cyber security” has been provided a circular definition. Rule 6 clearly states that no direction for monitoring and collection of traffic data or information generated, transmitted, received or stored in any computer resource shall be given for purposes other than those specified in Rule 4. Therefore, it may prima facie appear that the government is trying to lay down clear and strict safeguards when it comes to monitoring at the expense of a citizens' privacy. However, Rule 4(i) allows the government to monitor if it is satisfied that it is “any matter related to cyber security”. This may well play as a ‘catch all’ clause to legalise any kind of monitoring and collection and therefore defeats the purported intention of Rule 6 of safeguarding citizen’s interests against arbitrary and groundless intrusion of privacy. Also, the question of degree of liability of the intermediaries or persons in charge of the computer resources for leak of secret and confidential information remains unanswered. <br /><br /><strong>Rule 24: Disclosure of monitored data </strong><br />Any monitoring or collection of traffic data or information in computer resource by the employee of an intermediary or person in-charge of computer resource or a person duly authorised by the intermediary, undertaken in course of his duty relating to the services provided by that intermediary, shall not be unlawful, if such activities are reasonably necessary for the discharge his duties as per the prevailing industry practices, in connection with :<br />(vi) Accessing or analysing information from a computer resource for the purpose of tracing a computer resource or any person who has contravened, or is suspected of having contravened or being likely to contravene, any provision of the Act that is likely to have an adverse impact on the services provided by the intermediary.</p>
<p><br /><strong>Recommendation #8</strong><br />Safeguards must be introduced with respect to exercise of powers conferred by Rule 24(vi). </p>
<p><br /><strong>Reasons for Recommendations </strong><br />Rule 24(vi) provides for access, collection and monitoring of information from a computer resource for the purposes of tracing another computer resource which has or is likely to contravened provisions of the Act and this is likely to have an adverse impact on the services provided by the intermediary. Analysis of a computer resource may reveal extremely confidential and important data, the compromise of which may cause losses worth millions. Therefore, the burden of proof for such an intrusion of privacy of the computer resource, which is first used to track another computer resource which is likely to contravene the Act, should be heavy. Also, this violation of privacy should be weighed against the benefits accruing to the intermediary. The framing of sub rules under this clearly specifying the same is recommended. </p>
<p><br />The disclosure of sensitive information by a monitoring agency for purposes of ‘general trends’ and ‘general analysis of cyber information’ is uncalled for as it dissipates information among lesser bodies that are not governed by sufficient safeguards and this could result in outright violation of citizen’s privacy.</p>
<p> </p>
<h2>Manner of Functioning of CERT-In</h2>
<h3>Draft Rules under Section 70B(5)</h3>
<p>Section 70B provides for an Indian Computer Emergency Response Team (CERT-In) which shall serve as a national agency for performing duties as prescribed by clause 4 of this section in accordance to the rules as prescribed.<br />The rules provide for CERT-In’s authority, composition of advisory committee, constituency, functions and responsibilities, services, stakeholders, policies and procedures, modus operandi, disclosure of information and measures to deal with non compliance of orders so issued. However, there are a few issues which need to be addressed as under:</p>
<p><br /><strong>Definitions</strong><br />In these Rules, unless the context otherwise requires, “Cyber security incident” means any real or suspected adverse event in relation to cyber security that violates an explicit or implied security policy resulting in unauthorized access, denial of service/ disruption, unauthorized use of a computer resource for processing or storage of information or changes to data, information without authorization.</p>
<p><br /><strong>Recommendation #9</strong><br />The words ‘or implied’’ must be excluded from rule 2(g) which defines ‘cyber security incident’, and the term ‘security policy’ must be qualified to state what security policy is being referred to.</p>
<p><br /><strong>Reasons for Recommendation</strong><br />“Cyber security incident” means any real or suspected adverse event in relation to cyber security that violates an explicit or implied security policy resulting in unauthorized access, denial of service/disruption, unauthorized use of a computer resource for processing or storage of information or changes to data, information without authorization. </p>
<p><br />Thus, the section defines any circumstance where an explicit or implied security policy is contravened as a ‘cyber security incident’. Without clearly stating what the security policy is, an inquiry into its contravention is against an individual’s civil rights. If an individual’s actions are to be restricted for reasons of security, then the restrictions must be expressly defined and such restrictions cannot be said to be implied.</p>
<p><br /><strong>Rule 13(4): Disclosure of Information </strong><br />Save as provided in sub-rules (1), (2), (3) of rule 13, it may be necessary or expedient to so to do, for CERT-In to disclose all relevant information to the stakeholders, in the interest of sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of an offence relating to cognizable offence or enhancing cyber security in the country.</p>
<p><br /><strong>Recommendation #10</strong><br />Burden of necessity for disclosure of information should be made heavier. </p>
<p><br /><strong>Reasons for the Recommendation</strong><br />Rule 13(4) allows the disclosure of information by CERT-In in the interests of ‘enhancing cyber security’. This enhancement however needs to be weighed against the detriment caused to the individual and the burden of proof must be on the CERT-In to show that this was the only way of achieving the required. </p>
<p><br /><strong>Rule 19: Protection for actions taken in Good Faith </strong><br />All actions of CERT-In and its staff acting on behalf of CERT-In are taken in good faith in fulfillment of its mandated roles and functions, in pursuance of the provisions of the Act or any rule, regulations or orders made thereunder. CERT-In and its staff acting on behalf of CERT-In shall not be held responsible for any unintended fallout of their actions.</p>
<p><br /><strong>Recommendation #11</strong><br />CERT-In should be made liable for their negligent action and no presumption of good faith should be as such provided for. </p>
<p><br /><strong>Reasons for the Recommendation </strong><br />Rule 19 provides for the protection of CERT-In members for the actions taken in ‘good faith’. It defines such actions as ‘unintended fallouts’. Clearly, if information has been called for and the same is highly confidential, then this rule bars the remedy for any leak of the same due to the negligence of the CERT-In members. This is clearly not permissible as an agency that calls for delicate information should also be held responsible for mishandling the same, intentionally or negligently. Good faith can be established if the need arises, and no presumption as to good faith needs to be provided.</p>
<p> </p>
<h3>Draft Rules under Section 52</h3>
<p>These rules, entitled the “Cyber Appellate Tribunal (Salary, Allowances and Other Terms and Conditions of Service of Chairperson and Members) Rules, 2009” are meant to prescribe the framework for the independent and smooth functioning of the Cyber Appellate Tribunal. This is so because of the specific functions entrusted to this Appellate Tribunal. Under the IT Act, 2000 as amended by the IT (Amendment) Act, 2008, this Tribunal has the power to entertain appeals against orders passed by the adjudicating officer under Section 47.</p>
<p><br /><strong>Recommendation #12</strong><br />Amend qualifications Information Technology (Qualification and Experience of Adjudicating Officers and Manner of Holding Enquiry) Rules, 2003, to require judicial training and experience.</p>
<p><br /><strong>Reasons for the Recommendation</strong><br />It is submitted that an examination of these rules governing the Appellate Tribunal cannot be made independent of the powers and qualifications of Adjudicating Officers who are the original authority to decide on contravention of provisions in the IT Act dealing with damage to computer system and failure to furnish information. Even as per the Information Technology (Qualification and Experience of Adjudicating Officers and Manner of Holding Enquiry) Rules, 2003, persons who did not possess judicial experience and training, such as those holding the post of Director in the Central Government, were qualified to perform functions under Section 46 and decide whether there has been unauthorized access to a computer system. This involves appreciation of evidence and is not a merely administrative function that could be carried on by any person who has basic knowledge of information technology.</p>
<p>Viewed from this angle, the qualifications of the Cyber Appellate Tribunal members should have been made much tighter as per the new draft rules. The above rules when read with Section 50 of the IT Act, as amended in 2008, do not say anything about the qualification of the technical members apart from the fact that such person shall not be appointed as a Member, unless he is, or has been, in the service of the Central Government or a State Government, and has held the post of Additional Secretary or Joint Secretary or any equivalent post. Though special knowledge of, and professional experience in, information technology, telecommunication, industry, management or consumer affairs, has been prescribed in the Act as a requirement for any technical member.</p>
<p> </p>
<h3>Draft Rules under Section 54</h3>
<p>These Rules do not suffer any defect and provide for a fair and reasonable enquiry in so far as allegations made against the Chairperson or the members of the Cyber Appellate Tribunal are concerned.</p>
<p> </p>
<h2>Penal Provisions</h2>
<h3>Section 66A</h3>
<p>Any person who sends, by means of a computer resource or a communication device,<br /> (a) any information that is grossly offensive or has menacing character; or<br /> (b) any information which he knows to be false, but for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred or ill will, persistently by making use of such computer resource or a communication device,<br /> (c) any electronic mail or electronic mail message for the purpose of causing annoyance or inconvenience or to deceive or to mislead the addressee or recipient about the origin of such messages,<br />shall be punishable with imprisonment for a term which may extend to three years and with fine.<br />Sec. 32 of the 2008 Act inserts Sec. 66A which provides for penal measures for mala fide use of electronic resources to send information detrimental to the receiver. For the section to be attracted the ‘information’ needs to be grossly offensive, menacing, etc. and the sender needs to have known it to be false.</p>
<p>While the intention of the section – to prevent activities such as spam-sending – might be sound and even desirable, there is still a strong argument to be made that words is submitted that the use of words such as ‘annoyance’ and ‘inconvenience’ (in s.66A(c)) are highly problematic. Further, something can be grossly offensive without touching upon any of the conditions laid down in Article 19(2). Without satisfying the conditions of Article 19(2), this provision would be ultra vires the Constitution.</p>
<p><br /><strong>Recommendation #13</strong><br />The section should be amended and words which lead to ambiguity must be excluded.</p>
<p><br /><strong>Reasons for the Recommendation </strong><br />A clearer phrasing as to what exactly could convey ‘ill will’ or cause annoyance in the electronic forms needs to be clarified. It is possible in some electronic forms for the receiver to know the content of the information. In such circumstances, if such a possibility is ignored and annoyance does occur, is the sender still liable? Keeping in mind the complexity of use of electronic modes of transmitting information, it can be said that several such conditions arise which the section has vaguely covered. Therefore, a stricter and more clinical approach is necessary. </p>
<p><br /><strong>Recommendation #14</strong><br />A proviso should be inserted to this section providing for specific exceptions to the offence contained in this section for reasons such as fair comment, truth, criticism of actions of public officials etc. </p>
<p> </p>
<p><strong>Reasons for the Recommendation </strong><br />The major problem with Section 66A lies in clause (c) as per which any electronic mail or electronic mail message sent with the purpose of causing annoyance or inconvenience is covered within the ambit of offensive messages. This does not pay heed to the fact that even a valid and true criticism of the actions of an individual, when brought to his notice, can amount to annoyance. Indeed, it may be brought to his attention with the sole purpose of causing annoyance to him. When interpreting the Information Technology Act, it is to be kept in mind that the offences created under this Act should not go beyond those prescribed in the Indian Penal Code except where there is a wholly new activity or conduct, such as hacking for instance, which is sought to be criminalized.</p>
<p>Offensive messages have been criminalized in the Indian Penal Code subject to the conditions specified in Chapter XXII being present. It is not an offence to verbally insult or annoy someone without anything more being done such as a threat to commit an offence, etc. When this is the case with verbal communications, there is no reason to make an exception for those made through the electronic medium and bring any electronic mail or message sent with the purpose of causing annoyance or inconvenience within the purview of an offensive message.</p>
<p> </p>
<h3>Section 66F</h3>
<p>The definition of cyber-terrorism under this provision is too wide and can cover several activities which are not actually of a “terrorist” character. <br />Section 66F(1)(B) is particularly harsh and goes much beyond acts of “terrorism” to include various other activities within its purview. As per this provision, <br />“[w]hoever knowingly or intentionally penetrates or accesses a computer resource without authorisation or exceeding authorised access, and by means of such conduct obtains access to information, data or computer database that is restricted for reasons for the security of the State or foreign relations, or any restricted information, data or computer database, with reasons to believe that such information, data or computer database so obtained may be used to cause or is likely to cause injury to the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence, or to the advantage of any foreign nation, group of individuals or otherwise, commits the offence of cyber terrorism.”</p>
<p>This provision suffers from several defects and hence ought to be repealed. </p>
<p><br /><strong>Recommendation #15</strong><br />Section 66F(1)(B) has to be repealed or suitably amended to water down the excessively harsh operation of this provision. The restrictive nature of the information that is unauthorisedly accessed must be confined to those that are restricted on grounds of security of the State or foreign relations. The use to which such information may be put should again be confined to injury to the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, or public order. A mere advantage to a foreign nation cannot render the act of unauthorized access one of cyber-terrorism as long as such advantage is not injurious or harmful in any manner to the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, or public order. A mens rea requirement should also be introduced whereby mere knowledge that the information which is unauthorisedly accessed can be put to such uses as given in this provision should not suffice for the unauthorised access to amount to cyber-terrorism. The unauthorised access should be with the intention to put such information to this use. The amended provision would read as follows:</p>
<p class="callout">“[w]hoever knowingly or intentionally penetrates or accesses a computer resource without authorisation or exceeding authorised access, and by means of such conduct obtains access to information, data or computer database that is restricted for reasons for the security of the State or foreign relations, with the intention that such information, data or computer database so obtained may be used to cause injury to the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, or public order, commits the offence of cyber terrorism.”</p>
<p class="callout"> </p>
<p><strong>Reasons for the Recommendation </strong><br />The ambit of this provision goes much beyond information, data or computer database which is restricted only on grounds of security of the State or foreign relations and extends to “any restricted information, data or computer database”. This expression covers any government file which is marked as confidential or saved in a computer used exclusively by the government. It also covers any file saved in a computer exclusively used by a private corporation or enterprise. Even the use to which such information can be put need not be confined to those that cause or are likely to cause injury to the interests of the sovereignty and integrity of India, the security of the State, or friendly relations with foreign States. Information or data which is defamatory, amounting to contempt of court, or against decency / morality, are all covered within the scope of this provision. This goes way beyond the idea of a terrorist activity and poses serious questions. While there is no one globally accepted definition of cyberterrorism, it is tough to conceive of slander as a terrorist activity.</p>
<p>To give an illustration, if a journalist managed to unauthorisedly break into a restricted database, even one owned by a private corporation, and stumbled upon information that is defamatory in character, he would have committed an act of “cyber-terrorism.” Various kinds of information pertaining to corruption in the judiciary may be precluded from being unauthorisedly accessed on the ground that such information may be put to use for committing contempt of court. Any person who gains such access would again qualify as a cyber-terrorist. The factual situations are numerous where this provision can be put to gross misuse with the ulterior motive of muzzling dissent or freezing access to information that may be restricted in nature but nonetheless have a bearing on probity in public life etc. It is therefore imperative that this provision may be toned down as recommended above. <br /><br /></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/comments-draft-rules'>https://cis-india.org/internet-governance/blog/comments-draft-rules</a>
</p>
No publisherpraneshIT ActEncryptionIntellectual Property RightsIntermediary LiabilityPublicationsCensorship2011-09-21T06:13:42ZBlog EntryIT Act and Commerce
https://cis-india.org/internet-governance/blog/it-act-and-commerce
<b>This is a guest post by Rahul Matthan, partner in the law firm Trilegal, and widely regarded as one of the leading experts on information technology law in India. In this post, Mr. Matthan looks at the provisions in the amended Information Technology Act of interest to commerce, namely electronic signatures and data protection.</b>
<p>This post analyses the amendments brought about to the Information Technology Act, 2000 (“IT Act 2000”) through the recent 2008 amendments (“IT Act 2008”).</p>
<h2>Definitions</h2>
<p>The IT Act 2008 has introduced a few additional definitions to the list of definitions originally included in the IT Act 2000. These definitions have either amplified the existing provisions or been introduced in order to address new issues required to be defined in the context of the newly introduced provisions in the statute. Some of the significant definitions have been discussed below:</p>
<h3>Computer Network</h3>
<p>The definition of “computer network” has been amended to specifically include the wireless interconnection of computers. While wireless technology did fall within the scope of the IT Act under the rather generic head of “other communication media”, the Amendment Act clarifies the scope of the IT Act by expressly including the term “wireless”.</p>
<h3>Communication Devices</h3>
<p>The IT Amendment Bill, 2006, had provided an explanation for “communication devices” under Section 66A. This definition has been moved into the definition section and now applies across all sections of the IT Act 2008. “Communication devices” is defined to mean “a cell phone, personal digital assistance (PDA) device or combination of both or any device used to communicate, send or transmit any text, video, audio or image”.</p>
<p>There has been case law even under the IT Act that has held mobile phones to fall within the ambit of the IT Act, as a result of which all the provisions of the Act that apply to computers are equally applicable to mobile phones. This amendment only makes that position more explicit.</p>
<h2>Electronic Signatures<br /></h2>
<p>One of the major criticisms of the IT Act 2000 was the fact that it was not a technology neutral legislation. This was specifically so in relation to the provisions in the IT Act 2000 relating to the use of digital signatures for the purpose of authentication of electronic records. The statute made specific reference to the use of asymmetric cryptosystem technologies in the context of digital signatures, and, in effect, any authentication method that did not use this technology was not recognised under the IT Act 2000.</p>
<p>The IT Act 2008 has attempted to make this more technology neutral. In doing so, the attempt has been to bring the law in line with the United Nations Commission on International Trade Law Model Law on Electronic Signatures (“Model Law”).</p>
<h3>Replacement of Digital Signatures</h3>
<p>The first significant change in the IT Act 2008 is the replacement of the term “digital signatures” with “electronic signatures” in almost all the provisions in the IT Act 2000. In some provisions, reference continues to be made to digital signatures, but the net effect of the amendments is to treat digital signatures as a subset (or an example of one type) of electronic signatures.</p>
<p>Electronic signatures have been defined as the authentication of an electronic record using the authentication techniques specified in the 2nd Schedule to the Act, provided they are reliable. </p>
<p>The reliability criterion has been introduced, very much along the lines of the Model Law. However, the contents of the 2nd Schedule are yet to be stipulated, which means that despite the existence of a reliability standard, the only authentication method available at this point in time is the digital signature regime.</p>
<h3>Dual Requirement</h3>
<p>One significant implication of this amendment is the introduction of a dual requirement – to meet the reliability standard as well as to be included in the 2nd Schedule. However, structuring the authentication procedures in this manner offsets the objective tests of neutrality borrowed from the Model Law, since an authentication method may meet the reliability test but will not be deemed to be legally enforceable unless it is notified in the 2nd Schedule.</p>
<p>Additionally, there will be grounds for challenging electronic signatures that are notified to the 2nd Schedule, if it can be shown that the signature so notified is not reliable under the terms of the reliability criteria. This can act as an impediment to the recognition of electronic signatures by notification.</p>
<h3>Emphasis on Digital Signatures</h3>
<p>Another concern is the treatment of digital signatures in the post amendment statute. The IT Act 2008 continues to retain all the provisions relating to digital signatures within the main body of the statute. The term “digital signature” has not been uniformly substituted with “electronic signature” throughout the statute. In certain provisions this leads to a certain amount of absurdity, such as in those relating to representations made as to the issuance, suspension or revocation of digital signature certificates; due to the lack of uniformity, these principles now apply only to digital signatures and not to all types of electronic signatures. </p>
<p>It would have been preferable if the provisions relating to digital signatures had been moved in their entirety to the 2nd Schedule. Then, digital signatures would have become just another class of electronic signatures listed in the Schedule. By omitting to do this, the authors ensure that digital signature-specific provisions remaining in the main body of the statute challenge the technology neutrality of the statute.</p>
<h3>Certifying Authorities</h3>
<p>The IT Act 2008 has made the certifying authority the repository of all electronic signatures issued under the statute. Given that there are, at present, multiple certifying authorities, this provision is impractical. Instead, the statute should have either referred to the Controller of Certifying Authorities or should have been worded to state that each certifying authority would be the repository for all electronic signature certificates issued by it.</p>
<h3>Impact on Other Statutes</h3>
<p>Since the enactment of the IT Act 2000, amendments have been carried out in other statutes, relying on the concept of digital signatures. For instance, the Negotiable Instruments Act, 1881, makes the use of a digital signature essential for an electronic cheque.1 While the IT Act 2008 has expanded the scope of the available authentication measures, by introducing the technologically neutral concept of electronic signatures, corresponding amendments in other statutes like the Negotiable Instruments Act, 1881, will need to be carried out, so that they are not limited in their application to digital signatures.</p>
<h2>Data Protection<br /></h2>
<p>Prior to the passing of the IT Act 2008, the concept of 'data protection' was not recognised in India. The amendments have now introduced some amount of legal protection for data stored in the electronic medium. This chapter analyses the changes sought to be introduced and their impact on data protection law in India.</p>
<h3>Data under the IT Act 2000</h3>
<p>The only provision under the IT Act 2000, which dealt with unauthorised access and damage to data, was Section 43. Under that section, penalties were prescribed in respect of any person who downloads copies or extracts data from a computer system, introduces computer contaminants or computer viruses into a computer system or damages any data residing in a computer system.</p>
<h3>Data under the IT Act 2008</h3>
<p>Under the IT Act 2008, far-reaching changes have been made in relation to data. Two sections have been inserted specifically for that purpose – Sections 43-A and 72-A, one dealing with the civil and the other with the criminal remedies in relation to the breach of data related obligations.</p>
<h3>The Civil Remedies for Data Protection</h3>
<p>The newly introduced Section 43-A reads as follows:</p>
<blockquote>
<p>Compensation for failure to protect data - Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, to the person so affected.</p>
<p> Explanation - For the purposes of this section:</p>
<p> (i) “Body Corporate” means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities;</p>
<p>(ii) “Reasonable Security Practices and Procedures” means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit; and</p>
<p>(iii) “Sensitive Personal Data or Information” means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.</p>
</blockquote>
<p>While at first this provision appears to address several long standing concerns relating to data protection in India, there are several insidious flaws that could affect the development of a data protection jurisprudence in the country.</p>
<h3>Non-Electronic Data</h3>
<p>In the first instance, there is no mention, under this provision, of non-electronic data. Most international data protection statutes recognise and protect data stored in any electronic medium or a relevant filing system (including, for instance, a salesperson's diary). The newly introduced provisions of the IT Act 2008 do not provide any protection for data stored in a non-electronic medium.</p>
<p>It could be argued that given the legislative focus of this statute (it has been called the Information Technology Act with a reason), it would be inappropriate to include within this statute protection for forms of data that do not relate to the digital or electronic medium. While that argument is valid to many who look to the new provisions introduced in the IT Act 2008 as the answer to the data protection concerns that the country has been facing all these years, their enthusiasm must be tempered as these new provisions merely provide solutions for electronic data.</p>
<h3>Classification of Data</h3>
<p>Most international data protection statutes distinguish between different levels of personal data – specifying difference levels of protection for personal information and sensitive personal information. Depending on whether the data can be classified as one or the other, they have different levels of protection, as loss, unauthorised access or disclosure of sensitive personal information is considered to have a deeper impact on the data subject. </p>
<p>The new provisions of the IT Act 2008 make no such distinction. Section 43-A applies to all “sensitive personal data or information” but does not specify how personal data not deemed to be sensitive is to be treated. In essence, personal information and sensitive personal information do not appear to be differentially treated in the context of data protection.</p>
<h3>Consequences</h3>
<p>Under most international data protection statutes, the person in “control” of the data is liable for the consequences of disclosure, loss or unauthorised access to such information. This ensures that liability is restricted to those who actually have the ability to control the manner in which the data is treated. </p>
<p>However, under the new provisions of the IT Act 2008, the mere possession of information and its subsequent misuse would render any person who possesses this data liable to damages. While there is likely to be a debate on what constitutes possession and how this differs from control, there can be little doubt that by referring to “possession” in addition to “operation” and “control”, the IT Act 2008 appears to have widened the net considerably.</p>
<h3>Negligence in Implementing Security Practices</h3>
<p>Section 43-A specifically places liability on a body corporate only if such body corporate has been negligent in implementing its security practices and procedures in relation to the data possessed, controlled or handled by it. The choice of language here is significant. The statute specifically refers to the term “negligence” in relation to the security practices and procedures as opposed to stipulating a clear, pass-fail type obligation to conform.</p>
<p>There is a significant difference between the terms “negligence to implement” and “failure to implement”. The former can only result in a breach if the body corporate that was required to follow reasonable security practices with regard to the data in its possession or control does not perform the required action and it can be proved that a reasonable man in the same circumstances would have performed the required action. If a body corporate is to be made liable under the provisions of this Section, it is not enough to demonstrate that security procedures were not followed; it has to be proved in addition that the body corporate was negligent.</p>
<h3>Wrongful Loss and Gain</h3>
<p>The Section appears to have been constructed on the basis that a breach has occurred in the event that any “wrongful gain” or “wrongful loss” was suffered. These terms have not been defined either under statutes or through any judicial precedents in the civil context. However, these terms do have a definition under criminal law in India. The Indian Penal Code, 1860 (“IPC”), defines “Wrongful Gain” to mean gain, by unlawful means, of property to which the person gaining is not legally entitled; and “Wrongful Loss” to mean the loss by unlawful means of property to which the person losing it is legally entitled.</p>
<p>There does not appear to be any greater significance in the use of these terms even though they are typically found in criminal statutes. Therefore, apart from the slight ambiguity as to purpose, their use in the IT Act does not appear to have any great significance.</p>
<h3>Limitation on Liability</h3>
<p>The provisions of Section 43 originally had the total liability for a breach capped at Rs. 5,00,00,000 (five crore rupees). The original text of Section 43-A had the same limitation of liability in respect of its data protection provisions. Before the bill was passed into law, this limitation was removed and now a breach of Section 43-A is not subject to any limitation of liabilities.</p>
<h3>Reasonable Security Practices and Procedures</h3>
<p>Section 43-A makes a reference to “reasonable security practices and procedures” and stipulates that a breach has been caused only if such practices and procedures have not been followed. There are three methods by which reasonable security practices and procedures can be established:</p>
<ul><li> By agreement;</li><li>By law; and</li><li>By prescription by the Central Government.</li></ul>
<p><br />As there is no law in India which sets out an appropriate definition for the term and since it will be some time before which the Central Government comes out with necessary regulations, it would appear that the only option available is for the parties to arrive at an agreement as to how the sensitive personal data and information exchanged under their contract is to be handled.</p>
<p>As a corollary, till such time as the government establishes the necessary rules in relation to these security practices and procedures, if a body corporate does not enter into an agreement with the person providing the information as to the reasonable security practices and procedures that would apply, the body corporate cannot be brought within the purview of this section for any loss or damage to data.</p>
<h3>The Criminal Remedies for Unlawful Disclosure of Information</h3>
<p>In addition to the civil remedies spelled out in such detail in Section 43-A, the newly introduced provisions of Section 72-A of the IT Act 2008 could be used to impose criminal sanctions against any person who discloses information in breach of a contract for services. While not exactly a data protection provision in the same way that Section 43-A is, there are enough similarities in purpose to achieve the same result.</p>
<p>Section 72-A reads:</p>
<blockquote>
<p> Punishment for Disclosure of information in breach of lawful contract - Save as otherwise provided in this Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person shall be punished with imprisonment for a term which may extend to three years, or with a fine which may extend to Rupees five lakh, or with both.</p>
</blockquote>
<p>In substance, this provision appears to be focused on providing criminal remedies in the context of breach of confidentiality obligations under service contracts; given that the section specifically refers to the disclosure of personal information obtained under that service contract, it is fair to classify this as a provision that addresses data protection issues.</p>
<h3>Personal Information</h3>
<p>The IT Act 2008 does not define “personal information”. Equally, there are no judicial precedents that provide any clarity on the term. The Right to Information Act, 2005 does provide a definition for “personal information”, but that definition is inappropriate in the context of the IT Act 2008. In the absence of a useable definition for the term “personal information”, it becomes difficult to assess the scope and ambit of the provision and in particular to understand the extent to which it is enforceable.</p>
<h3>"Willful"</h3>
<p>The section would only apply to persons who willfully disclose personal information and cause wrongful loss or gain. Hence, in order to make a person liable it has to be proved that the person disclosing the personal information did so with an intention to cause wrongful loss or gain. It would be a valid defense to claim that any loss caused was unintentional.</p>
<h3>Service Contracts</h3>
<p>The section appears to be particular about the fact that it only applies in the context of personal information obtained under a contract for services. This appears to rule out confidential information (that is not of a personal nature) that has been received under any other form of agreement (including, for example, a technology license agreement). The section is clearly intended to protect against the misuse of personal information and cannot be adapted to provide a wider level of protection against all breaches of confidential information. That said, employers now have a much stronger weapon against employees who leave with the personal records of other fellow employees.</p>
<h3>Consent</h3>
<p>This section also clearly applies only to those disclosures of personal information with the intent to cause wrongful loss or gain which have taken place without the consent of the person whose personal information is being disclosed. What remains to be seen is how the law will deal with situations where a general consent for disclosures has been obtained at the time of recruitment.</p>
<p>Such clauses are made effective around the world by including opt in and opt out clauses, to allow the employee to either expressly agree to the disclosure of his personal information or to specifically exclude himself from the ambit of any such disclosures.</p>
<h3>Media of Material</h3>
<p>This section, unlike several other provisions of the IT Act 2008, deals with all manner of materials without requiring them to be digital. However, while disclosure of information stored in the non-electronic medium has been recognised, in the absence of a clear definition of personal information, it is difficult to ascertain the application and enforcement of this section.</p>
<h3>What’s Missing</h3>
<p>In order to be a truly effective data protection statute, the IT Act 2008 must include provisions relating to the collection, circumstances of collection, control, utilisation and proper disposal of data. At present the statute is silent about these aspects. In many ways, the statute addresses the particular concerns of companies or corporate entities looking for protection in relation to data outsourced to any other corporate entity for processing. Within these specific parameters the statute works well. However it does little to protect the average citizen of the country from the theft of personal data. Until we have statutory recognition of these issues, we will not be able to say that we have an effective data protection law in India.</p>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/it-act-and-commerce'>https://cis-india.org/internet-governance/blog/it-act-and-commerce</a>
</p>
No publisherpraneshIT ActDigital GovernanceData ProtectionAuthenticationSecurity2011-08-02T07:41:45ZBlog EntryPrimer on the New IT Act
https://cis-india.org/internet-governance/blog/primer-it-act
<b>With this draft information bulletin, we briefly discuss some of the problems with the Information Technology Act, and invite your comments.</b>
<p align="justify">The latest amendments to
the Information Technology Act 2000, passed in December 2008 by the
Lok Sabha, and the draft rules framed under it contain several provisions
that can be abused and misused to infringe seriously on citizens'
fundamental rights and basic civil liberties. We have already <a href="https://cis-india.org/internet-governance/it-act/short-note-on-amendment-act-2008" class="internal-link" title="Short note on IT Amendment Act, 2008">written about some of the problems</a> with this Act earlier. With this information bulletin, drafted by Chennai-based advocate Ananth Padmanabhan, we wish to extend that analysis into the form of a citizens' dialogue highlighting ways in which the Act and the rules under it fail. Thus, we invite your comments, suggestions, and queries, as this is very much a work in progress. We will eventually consolidate this dialogue and follow up with the government on the concerns of its citizens.</p>
<h3 align="justify">Intermediaries
beware</h3>
<p align="justify">Internet service
providers, webhosting service providers, search engines, online
payment sites, online auction sites, online market places, and cyber
cafes are all examples of “intermediaries” under this Act. The
Government can force any of these intermediaries to cooperate with
any interception, monitoring or decryption of data by stating broad
and ambiguous reasons such as the “interest of the sovereignty or
integrity of India”, “defence of India”, “security of the
State”, “friendly relations with foreign States”, “public
order” or for “preventing incitement to” or “investigating”
the commission of offences related to those. This power can be abused
to infringe on the privacy of intermediaries as well as to hamper
their constitutional right to conduct their business without interference.</p>
<p align="justify">If a Google search on
“Osama Bin Laden” throws up an article that claims to have
discovered his place of hiding, the Government of India can issue a
direction authorizing the police to monitor Google’s servers to
find the source of this information. While Google can, of course,
establish that this information cannot be attributed directly to the
organization, making the search unwarranted, that would not help it
much. While section 69 grants the government these wide-ranging
powers, it does not provide for adequate safeguards in the form of having to show due cause or having an in-built right of appeal against a decision by the government. If Google refused
to cooperate under such circumstances, its directors would be liable
to imprisonment of up to seven years.</p>
<h3 align="justify">Pre-censorship<br /></h3>
<p align="justify">The State has been given
unbridled power to block access to websites as long as such blocking
is deemed to be in the interest of sovereignty and integrity of
India, defence of India, security of the State, friendly relations
with foreign States, and other such matters.</p>
<p align="justify">Thus, if a web portal or
blog carries or expresses views critical of the Indo-US nuclear deal,
the government can block access to the website and thus muzzle criticism
of its policies. While some may find that suggestion outlandish, it is very much possible under the Act. Since there is no right to be heard before your website is taken down nor is there an in-built mechanism for the website owner to appeal, the decisions made by the government cannot be questioned unless you are prepared to undertake a costly legal battle. </p>
<p align="justify">Again, if an intermediary (like Blogspot or an ISP like Airtel) refuses to cooperate, its directors may be personally liable to imprisonment for up to a period of seven years. Thus, being personally liable, the intermediaries are rid of any incentive to stand up for the freedom of speech and expression.</p>
<h3 align="justify">We need to monitor your computer: you have a virus<br /></h3>
<p align="justify">The government has been
vested with the power to authorize the monitoring and collection of
traffic data and information generated, transmitted, received or
stored in any computer resource. This provision is much too
widely-worded. </p>
<p align="justify">For instance, if the
government feels that there is a virus on your computer that can
spread to another computer, it can demand access to monitor your
e-mails on the ground that such monitoring enhances “cyber
security” and prevents “the spread of computer contaminants”.</p>
<h3 align="justify">Think before you click "Send"<br /></h3>
<p align="justify">If out of anger you send
an e-mail for the purpose of causing “annoyance” or
“inconvenience”, you may be liable for imprisonment up to three
years along with a fine. While that provision (section 66A(c)) was
meant to combat spam and phishing attacks, it criminalizes much more
than it should.</p>
<h3 align="justify">A new brand of "cyber terrorists" <br /></h3>
<p align="justify">The new offence of “cyber
terrorism” has been introduced, which is so badly worded that it
borders on the ludicrous. If a journalist gains
unauthorized access to a computer where information regarding
corruption by certain members of the judiciary is stored, she becomes
a “cyber terrorist” as the information may be used to cause
contempt of court. There is no precedent for any such definition of cyberterrorism. It is unclear what definition of terrorism the government is going by when even unauthorized access to defamatory material is considered cyberterrorism.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/primer-it-act'>https://cis-india.org/internet-governance/blog/primer-it-act</a>
</p>
No publisherpraneshIT ActDigital GovernancePublic AccountabilityIntermediary LiabilityCensorship2011-08-02T07:41:54ZBlog EntryCybercrime and Privacy
https://cis-india.org/internet-governance/blog/privacy/privacy-ita2008
<b>Elonnai Hickok examines privacy in the context of India’s legal provisions on cybercrime. She picks up the relevant provisions of the Information Technology Act as amended in 2008 dealing with cyber crimes and provides a fair analysis of the pros and cons of the amended Act. </b>
<h2>What is Cybercrime?</h2>
<p>Looking at the recent <a class="external-link" href="http://www.bbc.co.uk/news/technology-10796584">Facebook ‘break in’ where 100,000 of users’ information was downloaded</a> and made accessible through a simple search engine, , and t<a class="external-link" href="http://www.bbc.co.uk/news/10473495">he new Microsoft virus that attacked 10,000 machines</a>, it is clear that cybercrime is no longer an issue to be taken lightly. Cybercrime is defined as an unlawful act committed using a computer either as a tool or as a target (or both) for facilitating a crime. Although there is an overlap, some are more likely to use the computer as a tool, and others use it as a target. Examples of the former include: fraud, forgery, DOS, consumption of limited resources, cyberterrorism, IPR violations, software piracy, copyright infringement, trademarks violations, patent violations, cyber squatting, credit card frauds, forgery, EFT frauds, pornography, banking/credit card related crimes, sale or purchase of illegal articles, cyberstalking, phishing, theft, and breaches in privacy, and gambling. Crimes where the computer is made a target include: computer theft, physical destruction or alteration of network components, theft of computer source code, hacking, defacing websites, creation of viruses, destruction or alteration of configuration information and email spamming.</p>
<h2>What is India's current legislation on cybercrime?</h2>
<h3>The Information Technology Act 2000 (amended in 2008)</h3>
<p>The <a class="external-link" href="http://nicca.nic.in/pdf/itact2000.pdf">Information Technology Act</a> was first drawn up in 2000, and has been <a class="external-link" href="http://164.100.24.219/BillsTexts/LSBillTexts/PassedLoksabha/96-c%20of%202006.pdf">revised</a> most recently 2008. The Information Technology (Amendment) Bill, 2008 amended sections 43 (data protection), 66 (hacking), 67 (protection against unauthorised access to data), 69 (cyberterrorism), and 72 (privacy and confidentiality) of the Information Technology Act, 2000, which relate to computer/cybercrimes.</p>
<p><strong>Section 43 [Penalty and Compensation for damage to computer, computer system, etc.] amended vide Information Technology Amendment Act 2008 reads as under:</strong></p>
<p>If any person without permission of the owner or any other person who is in-charge of a computer, computer system or computer network:</p>
<ul><li>accesses or secures access to such computer, computer system or computer network or computer resource (ITAA2008)</li><li>downloads, copies or extracts any data, computer data base or information from such computer, computer system or computer network including information or data held or stored in any removable storage medium;</li><li>introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or computer network;</li><li>damages or causes to be damaged any computer, computer system or computer network, data, computer data base or any other programmes residing in such computer, computer system or computer network;</li><li>disrupts or causes disruption of any computer, computer system or computer network;</li><li>denies or causes the denial of access to any person authorized to access any computer, computer system or computer network by any means;</li><li>provides any assistance to any person to facilitate access to a computer, computer system or computer network in contravention of the provisions of this Act, rules or regulations made there under;</li><li>charges the services availed of by a person to the account of another person by tampering with or manipulating any computer, computer system, or computer network;</li><li>destroys, deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means (Inserted vide ITAA-2008); and</li><li>Steals, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter any computer source code used for a computer resource with an intention to cause damage, (Inserted vide ITAA 2008) he shall be liable to pay damages by way of compensation to the person so affected. (change vide ITAA 2008)</li></ul>
<p><strong>Critique:</strong> In comparison to the laws enacted in other countries, this provision still falls short of a strong data protection law. In most other countries data protection laws specify:</p>
<ul><li>the definition and classification of data types;</li><li>the nature and protection of the categories of data;</li><li>that equal protection will be given to data stored offline and data stored manually;</li><li>that data controllers and data processors have distinct roles;</li><li>clear restrictions on the manner of data collection;</li><li>clear guidelines on the purposes for which the data can be put and to whom it can be sent;</li><li>standards and technical measures governing the collection, storage, access to, protection, retention, and destruction of data;</li><li>that providers of goods or services must have a clear opt - in or opt - out option; and</li><li>in addition, most countries provide strong safeguards and penalties against breaches of any of the above</li></ul>
<div><span class="Apple-style-span"><strong><br />Section 66 [Computer Related Offences] amended vide Information Technology Amendment Act 2008 reads as under:</strong></span></div>
<p>If any person, dishonestly, or fraudulently, does any act referred to in section 43, he shall be punishable with imprisonment for a term which may extend to two three years or with fine which may extend to five lakh rupees or with both.</p>
<div><span class="Apple-style-span">
<p>Explanation: For the purpose of this section,-</p>
<div>
<ul><li>the word "dishonestly" shall have the meaning assigned to it in section 24 of the Indian Penal Code;</li><li>the word "fraudulently" shall have the meaning assigned to it in section 25 of the Indian Penal Code. </li></ul>
<div>
<div><strong><br /></strong></div>
<div><strong>[Section 66 A] [Punishment for sending offensive messages through communication service, etc.] </strong></div>
<div><strong>(Introduced vide ITAA 2008):</strong></div>
</div>
<p>Any person who sends, by means of a computer resource or a communication device,-</p>
<div>
<div>
<ul><li>any information that is grossly offensive or has menacing character; or</li><li>any information which he knows to be false, but for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred, or ill will, persistently makes by making use of such computer resource or a communication device;</li><li>any electronic mail or electronic mail message for the purpose of causing annoyance or inconvenience or to deceive or to mislead the addressee or recipient about the origin of such messages (Inserted vide ITAA 2008) shall be punishable with imprisonment for a term which may extend to three years and with fine.</li></ul>
</div>
</div>
</div>
<p>Explanation: For the purposes of this section, terms "Electronic mail" and "Electronic Mail Message" means a message or information created or transmitted or received on a computer, computer system, computer resource or communication device including attachments in text, image, audio, video and any other electronic record, which may be transmitted with the message.<br /><span class="Apple-style-span"><strong><span class="Apple-style-span"><br /></span>[Section 66 B] [Punishment for dishonestly receiving stolen computer resource or communication device] (Inserted Vide ITA 2008):<br /></strong></span>Whoever dishonestly receives or retains any stolen computer resource or communication device knowing or having reason to believe the same to be stolen computer resource or communication device, shall be punished with imprisonment of either description for a term which may extend to three years or with fine which may extend to rupees one lakh or with both.</p>
<div><span class="Apple-style-span"><strong>[Section 66C] [Punishment for identity theft] (Inserted Vide ITA 2008):</strong></span></div>
<p>Whoever, fraudulently or dishonestly make use of the electronic signature, password or any other unique identification feature of any other person, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to rupees one lakh.</p>
<p><strong>[Section 66D] [Punishment for cheating by personation by using computer resource] (Inserted Vide ITA 2008):<br /></strong>Whoever, by means of any communication device or computer resource cheats by personation, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to one lakh rupees.</p>
<p><strong>[Section 66E] [Punishment for violation of privacy] (Inserted Vide ITA 2008):<br /></strong>Whoever, intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person, shall be punished with imprisonment which may extend to three years or with fine not exceeding two lakh rupees, or with both</p>
<p>Explanation - For the purposes of this section--</p>
<ul><li>“transmit” means to electronically send a visual image with the intent that it be viewed by a person or persons;</li><li>“capture”, with respect to an image, means to videotape, photograph, film or record by any means;</li><li>“private area” means the naked or undergarment clad genitals, pubic area, buttocks or female breast;</li><li>“publishes” means reproduction in the printed or electronic form and making it available for public;</li><li>“under circumstances violating privacy” means circumstances in which a person can have a reasonable expectation that:</li></ul>
<div>
<div>
<ol><li>he or she could disrobe in privacy, without being concerned that an image of his private area was being captured; or</li><li>any part of his or her private area would not be visible to the public, regardless of whether that person is in a public or private place.</li></ol>
<p><strong>[Section 66F] [Punishment for cyber terrorism]:<br /></strong>(1) Whoever,-</p>
<div>
<div>(A) with intent to threaten the unity, integrity, security or sovereignty of India or to strike terror in the people or any section of the people by –</div>
<div>
<ul><li>denying or cause the denial of access to any person authorized to access computer resource; or </li><li>attempting to penetrate or access a computer resource without authorisation or exceeding authorized access; or</li><li>introducing or causing to introduce any Computer Contaminant and by means of such conduct causes or is likely to cause death or injuries to persons or damage to or destruction of property or disrupts or knowing that it is likely to cause damage or disruption of supplies or services essential to the life of the community or adversely affect the critical information infrastructure specified under section 70, or</li></ul>
</div>
<div>(B) knowingly or intentionally penetrates or accesses a computer resource without authorization or exceeding authorized access, and by means of such conduct obtains access to information, data or computer database that is restricted for reasons of the security of the State or foreign relations; or any restricted information, data or computer database, with reasons to believe that such information, data or computer database so obtained may be used to cause or likely to cause injury to the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence, or to the advantage of any foreign nation, group of individuals or otherwise, commits the offence of cyber terrorism.</div>
<div>(2) Whoever commits or conspires to commit cyber terrorism shall be punishable with imprisonment which may extend to imprisonment for life’.<br /><strong><span class="Apple-style-span"><br /></span>Critique</strong>: We find the terminology in multiple sections too vague to ensure consistent and fair enforcement. The concepts of ‘annoyance’ and ‘insult’ are subjective. Clause (d) makes it clear that phishing requests are not permitted, but it is not clear that one cannot ask for information on a class of individuals.</div>
</div>
</div>
</div>
<div><br /><strong>Section 67 [Publishing of information which is obscene in electronic form] amended vide Information Technology Amendment Act 2008 reads as under:</strong></div>
<div>Whoever publishes or transmits or causes to be published in the electronic form, any material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to deprave and corrupt persons who are likely, having regard to all relevant circumstances, to read, see or hear the matter contained or embodied in it, shall be punished on first conviction with imprisonment of either description for a term which may extend to two three years and with fine which may extend to five lakh rupees and in the event of a second or subsequent conviction with imprisonment of either description for a term which may extend to five years and also with fine which may extend to ten lakh rupees.</div>
<div><strong></strong></div>
<p><strong><br />[Section 67 A] [Punishment for publishing or transmitting of material containing sexually explicit act, etc. in electronic form] (Inserted vide ITAA 2008):<br /></strong>Whoever publishes or transmits or causes to be published or transmitted in the electronic form any material which contains sexually explicit act or conduct shall be punished on first conviction with imprisonment of either description for a term which may extend to five years and with fine which may extend to ten lakh rupees and in the event of second or subsequent conviction with imprisonment of either description for a term which may extend to seven years and also with fine which may extend to ten lakh rupees.</p>
<p>Exception: This section and section 67 does not extend to any book, pamphlet, paper, writing, drawing, painting, representation or figure in electronic form-</p>
<ul><li>the publication of which is proved to be justified as being for the public good on the ground that such book, pamphlet, paper, writing, drawing, painting, representation or figure is in the interest of science, literature, art, or learning or other objects of general concern; or</li><li>which is kept or used bona fide for religious purposes.</li></ul>
<div>
<div><strong>[Section 67 B] Punishment for publishing or transmitting of material depicting children in sexually explicit act, etc. in electronic form:</strong></div>
<div>Whoever,-</div>
<div>(a) publishes or transmits or causes to be published or transmitted material in any electronic</div>
<div>form which depicts children engaged in sexually explicit act or conduct or</div>
<div>(b) creates text or digital images, collects, seeks, browses, downloads, advertises,</div>
<div>promotes, exchanges or distributes material in any electronic form depicting children in</div>
<div>obscene or indecent or sexually explicit manner or</div>
<div>(c) cultivates, entices or induces children to online relationship with one or more children for</div>
<div>and on sexually explicit act or in a manner that may offend a reasonable adult on the computer resource or</div>
<div>(d) facilitates abusing children online or</div>
<div>(e) records in any electronic form own abuse or that of others pertaining to sexually explicit act with children, shall be punished on first conviction with imprisonment of either description for a term which may extend to five years and with a fine which may extend to ten lakh rupees and in the event of second or subsequent conviction with imprisonment of either description for a term which may extend to seven years and also with fine which may extend to ten lakh rupees:</div>
<div>Provided that the provisions of section 67, section 67A and this section does not extend to any book, pamphlet, paper, writing, drawing, painting, representation or figure in electronic form-</div>
<div>(i) The publication of which is proved to be justified as being for the public good on the ground that such book, pamphlet, paper writing, drawing, painting, representation or figure is in the interest of science, literature, art or learning or other objects of general concern; or</div>
<div>(ii) which is kept or used for bonafide heritage or religious purposes </div>
<div>Explanation: For the purposes of this section, "children" means a person who has not completed the age of 18 years.</div>
<div> </div>
</div>
<p><strong>[Section 67 C] [Preservation and Retention of information by intermediaries]:</strong></p>
<div>
<p>(1) Intermediary shall preserve and retain such information as may be specified for such duration and in such manner and format as the Central Government may prescribe.</p>
<p>(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section (1) shall be punished with an imprisonment for a term which may extend to three years and shall also be liable to fine.</p>
<p><strong>Critique</strong>: This provision adequately protects both the corporate and the citizen in a positive way.</p>
</div>
<div>
<div><strong>Section 69 [Powers to issue directions for interception or monitoring or decryption of any information through any computer resource] amended vide Information Technology Amendment Act 2008 reads as under:</strong></div>
<div>(1) Where the central Government or a State Government or any of its officer specially authorized by the Central Government or the State Government, as the case may be, in this behalf may, if is satisfied that it is necessary or expedient to do in the interest of the sovereignty or integrity of India, defense of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence, it may, subject to the provisions of sub-section (2), for reasons to be recorded in writing, by order, direct any agency of the appropriate Government to intercept, monitor or decrypt or cause to be</div>
<div>intercepted or monitored or decrypted any information transmitted received or stored through any computer resource.</div>
<div>(2) The Procedure and safeguards subject to which such interception or monitoring or decryption may be carried out, shall be such as may be prescribed.</div>
<div>(3) The subscriber or intermediary or any person in charge of the computer resource shall, when called upon by any agency which has been directed under sub section (1), extend all facilities and technical assistance to –</div>
<div>(a) provide access to or secure access to the computer resource generating, transmitting, receiving or storing such information; or</div>
<div>(b) intercept or monitor or decrypt the information, as the case may be; or </div>
<div>(c) provide information stored in computer resource.</div>
<div>(4) The subscriber or intermediary or any person who fails to assist the agency referred to in sub-section (3) shall be punished with an imprisonment for a term which may extend to seven years and shall also be liable to fine.</div>
<div>[ Section 69B] Power to authorize to monitor and collect traffic data or information through any computer resource for Cyber Security:</div>
<div>(1) The Central Government may, to enhance Cyber Security and for identification, analysis and prevention of any intrusion or spread of computer contaminant in the country, by notification in the official Gazette, authorize any agency of the Government to monitor and collect traffic data or information generated, transmitted, received or stored in any computer resource.</div>
<div>(2) The Intermediary or any person in-charge of the Computer resource shall when called upon by the agency which has been authorized under sub-section (1), provide technical assistance and extend all facilities to such agency to enable online access or to secure and provide online access to the computer resource generating, transmitting, receiving or storing such traffic data or information.</div>
<div>(3) The procedure and safeguards for monitoring and collecting traffic data or information, shall be such as may be prescribed.</div>
<div>(4) Any intermediary who intentionally or knowingly contravenes the provisions of subsection</div>
<div>(2) shall be punished with an imprisonment for a term which may extend to three years and shall also be liable to fine.</div>
<div>Explanation: For the purposes of this section,</div>
<div>(i) "Computer Contaminant" shall have the meaning assigned to it in section 43</div>
<div>(ii) "traffic data" means any data identifying or purporting to identify any person, computer system or computer network or location to or from which the communication is or may be transmitted and includes communications origin, destination, route, time, date, size, duration or type of underlying service or any other information.</div>
<div>Critique: Though we recognize how important it is for a government to protect its citizens against cyberterrorism, we are concerned at the friction between these provisions and the guarantees of free dialog, debate, and free speech that are Fundamental Rights under the Constitution of India.</div>
<div><em>Specifically:</em></div>
<div>a) there is no clear provision of a link between an intermediary and the information or resource that is to be monitored.</div>
<div>c)the penalties laid out in the clause are believed to be too harsh, and when read in conjunction with provision 66, there is no distinction between minor offenses and serious offenses.</div>
<div>e) the ITA is too broad in its categorization of acts of cyberterrorism by including information that is likely to cause: injury to decency, injury to morality, injury in relation to contempt of court, and injury in relation to defamation.</div>
</div>
<div><br /><strong>Section 72 [Breach of confidentiality and privacy] amended vide Information Technology Amendment Act 2008 reads as under:</strong></div>
<div>
<div>Save as otherwise provided in this Act or any other law for the time being in force, any person who, in pursuant of any of the powers conferred under this Act, rules or regulations made there under, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses such electronic record, book, register, correspondence, information, document or other material to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both.</div>
<div> </div>
<div><strong>[Section 72 A] Punishment for Disclosure of information in breach of lawful contract (Inserted vide ITAA-2008):</strong></div>
<div>Save as otherwise provided in this Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person shall be punished with imprisonment for a term which may extend to three years, or with a fine which may extend to five lakh rupees, or with both.</div>
</div>
<h3>General Notes and Critiques:</h3>
<div>
<div>As general notes on the ITA and data protection we find that the Act is lacking in many ways, including:</div>
<div>
<ul><li>there is no definition of “sensitive personal data or information” and that term is used indiscriminately without.</li><li>the provisions and protections cover only electronic data and not stored data or non-electronic systems of media</li><li>in the absence of a data controller, liability is often imposed on persons who are not necessarily in a position to control data</li><li>civil liability for data breach arises where negligence is involved</li><li>criminal liability only applies to cases of information obtained in the context of a service contract.</li></ul>
</div>
</div>
</span></div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/privacy/privacy-ita2008'>https://cis-india.org/internet-governance/blog/privacy/privacy-ita2008</a>
</p>
No publisherpraskrishnaIT ActInternet Governance2010-09-14T13:21:20ZBlog EntryTo preserve freedoms online, amend the IT Act
https://cis-india.org/internet-governance/blog/hindustan-times-april-16-2019-gurshabad-grover-to-preserve-freedoms-online-amend-it-act
<b>Look into the mechanisms that allow the government and ISPs to carry out online censorship without accountability.</b>
<p style="text-align: justify; ">The article by Gurshabad Grover was published in the <a class="external-link" href="https://www.hindustantimes.com/analysis/to-preserve-freedoms-online-amend-the-it-act/story-aC0jXUId4gpydJyuoBcJdI.html">Hindustan Times</a> on April 16, 2019.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">The issue of blocking of websites and online services in India has gained much deserved traction after internet users reported that popular services like Reddit and Telegram were inaccessible on certain Internet Service Providers (ISPs). The befuddlement of users calls for a look into the mechanisms that allow the government and ISPs to carry out online censorship without accountability.</p>
<p style="text-align: justify; ">Among other things, Section 69A of the Information Technology (IT) Act, which regulates takedown and blocking of online content, allows both government departments and courts to issue directions to ISPs to block websites. Since court orders are in the public domain, it is possible to know this set of blocked websites and URLs. However, the process is much more opaque when it comes to government orders.</p>
<p style="text-align: justify; ">The Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009, issued under the Act, detail a process entirely driven through decisions made by executive-appointed officers. Although some scrutiny of such orders is required normally, it can be waived in cases of emergencies. The process does not require judicial sanction, and does not present an opportunity of a fair hearing to the website owner. Notably, the rules also mandate ISPs to maintain all such government requests as confidential, thus making the process and complete list of blocked websites unavailable to the general public.</p>
<p style="text-align: justify; ">In the absence of transparency, we have to rely on a mix of user reports and media reports that carry leaked government documents to get a glimpse into what websites the government is blocking. Civil society efforts to get the entire list of blocked websites have repeatedly failed. In response to the Right to Information (RTI) request filed by the Software Freedom Law Centre India in August 2017, the Ministry of Electronics and IT refused to provide the entire of list of blocked websites citing national security and public order, but only revealed the number of blocked websites: 11,422.</p>
<p style="text-align: justify; ">Unsurprisingly, ISPs do not share this information because of the confidentiality provision in the rules. A 2017 study by the Centre for Internet and Society (CIS) found all five ISPs surveyed refused to share information about website blocking requests. In July 2018, the Bharat Sanchar Nagam Limited rejected the RTI request by CIS which asked for the list of blocked websites.</p>
<p style="text-align: justify; ">The lack of transparency, clear guidelines, and a monitoring mechanism means that there are various forms of arbitrary behaviour by ISPs. First and most importantly, there is no way to ascertain whether a website block has legal backing through a government order because of the aforementioned confidentiality clause. Second, the rules define no technical method for the ISPs to follow to block the website. This results in some ISPs suppressing Domain Name System queries (which translate human-parseable addresses like ‘example.com’ to their network address, ‘93.184.216.34’), or using the Hypertext Transfer Protocol (HTTP) headers to block requests. Third, as has been made clear with recent user reports, users in different regions and telecom circles, but serviced by the same ISP, may be facing a different list of blocked websites. Fourth, when blocking orders are rescinded, there is no way to make sure that ISPs have unblocked the websites. These factors mean that two Indians can have wildly different experiences with online censorship.</p>
<p style="text-align: justify; ">Organisations like the Internet Freedom Foundation have also been pointing out how, if ISPs block websites in a non-transparent way (for example, when there is no information page mentioning a government order presented to users when they attempt to access a blocked website), it constitutes a violation of the net neutrality rules that ISPs are bound to since July 2018.</p>
<p style="text-align: justify; ">While the Supreme Court upheld the legality of the rules in 2015 in Shreya Singhal vs. Union of India, recent events highlight how the opaque processes can have arbitrary and unfair outcomes for users and website owners. The right to access to information and freedom of expression are essential to a liberal democratic order. To preserve these freedoms online, there is a need to amend the rules under the IT Act to replace the current regime with a transparent and fair process that makes the government accountable for its decisions that aim to censor speech on the internet.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/hindustan-times-april-16-2019-gurshabad-grover-to-preserve-freedoms-online-amend-it-act'>https://cis-india.org/internet-governance/blog/hindustan-times-april-16-2019-gurshabad-grover-to-preserve-freedoms-online-amend-it-act</a>
</p>
No publishergurshabadFreedom of Speech and ExpressionIT ActInternet GovernanceInternet Freedom2019-04-16T10:09:41ZBlog EntryNortheast exodus: Is there a mechanism to pre-screen social media content?
https://cis-india.org/news/www-merinews-com-wahid-bukhari-august-23-2012-northeast-exodus
<b>The government has passed the blame buck on social media and blocked hundreds of websites, which it claims, hosted hate speech and inflammatory content, enough to incite violence. But is it feasible to pre-screen objectionable or provocative content, and reject it before posting so that there is no chance of such rumours?
</b>
<hr />
<p style="text-align: justify; ">The article by Wahid Bukhari was <a class="external-link" href="http://www.merinews.com/article/northeast-exodus-is-there-a-mechanism-to-pre-screen-social-media-content/15874014.shtml">published in merinews</a> on August 23, 2012. Pranesh Prakash is quoted.</p>
<hr />
<p style="text-align: justify; ">The government took the action after Home Minister RK Singh alleged that the exodus of northeastern people from southern states such as Bangalore, Mumbai and Pune was a result of the panic and rumours created because of the content uploaded on these websites, many according to him were created by elements across the border in Pakistan. Though many suspected that Mr Singh's claim was an excuse to save the government from its inefficiency in controlling the riots, and the exodus of the northeastern people who were seen boarding the trains to their home states with their belongings amid fears of reprisal attacks.</p>
<p style="text-align: justify; ">Was the action meant to pass on the inefficiency buck or not - the government has, at least, managed to shift the focus of the media from exodus to the debate - as to whether social networking sites or websites promoting hatred should be blocked or not - given the democratic rights of every citizen to freedom of speech and expression.</p>
<p style="text-align: justify; ">Around a hundred more websites have been reported promoting hate speech and <a href="http://www.merinews.com/topics/business/Google">Google</a>, <a href="http://www.merinews.com/topics/business/facebook">Facebook</a> and other social networking sites like <a href="http://www.merinews.com/topics/business/Twitter">Twitter</a> have been asked to remove such content as soon as possible but in this whole debate one question remains unanswered: How does removing a post from Twitter or Facebook make a difference, several hours after it was published? One might argue even an hour is enough for an inflammatory picture or comment to incite violence or hatred. As a consequence, one might demand that a comment is screened before it is posted on a website, otherwise it doesn't serve any purpose.</p>
<p style="text-align: justify; ">Whether pre-screening is technically possible, Pranesh Prakash maintains: "Given the amount of content uploaded on the larger social networks, pre-screening content is just not possible, while removal upon complaint is. They don't have editors like newspapers do; importantly, they shouldn't."</p>
<p style="text-align: justify; ">Perhaps, a mid way is to intervene prior to registration on social media websites. All those who register should be made aware of the content that's not permissible, and make them aware of relevant laws and repercussions of breaking them if their complicity is proved. Similarly, these sites can be asked by the Indian government to continuously remind registered users as well as general public, through mass media advertizing, about what kind of content is not permissible. The government, from its side, can strengthen cyber laws to empower sites such as Facebook and Twitter to curb posting of provocative content due to presence of these stringent laws.</p>
<p style="text-align: justify; ">Terming the government action unfortunate, Mr Prakash who is a programme manager with the Bangalore-based research and advocacy group, The Centre for Internet and Society believes that government botched up at so many levels. “I don't think the government should be going after Facebook, YouTube, or Twitter. It should be going to them, to work with them on removing content,” Mr Prakash suggests. "The larger social networks have dedicated complaints mechanisms, which the government could have asked them to run 24x7 for a few days, and to expedite that process, and both complained itself and asked the public to use the complaints process,” he adds.<br /> <br /> Though Pakistan has rubbished the claims that it has any role in fomenting trouble, but it has also asked the Indian government to provide it with evidence so that it could nab the accused. Whether or not there is any evidence is a secondary question, the primary blame will always rest with both the state and central governments who failed to stop the exodus of fear-stricken people from the northeast.</p>
<p style="text-align: justify; ">Experts like Mr Prakash are wondering why the government didn't pay back in the same coin by using the social media to dispel the rumours. “It is a pity that they notified a new policy to encourage governmental use of social media only today; they sorely needed it this last week,” Mr Prakash rues.</p>
<p style="text-align: justify; ">The government has blocked content related to thirty Twitter accounts but another surprising thing is that only accounts using the web interface have been blocked, and such accounts can still be accessed on BlackBerrys or other smartphones.</p>
<p style="text-align: justify; ">The only visible thing government did on ground when the exodus started taking place in Bangalore was the setting up of helplines but did they help in preventing the exodus - there are enough reasons to believe against it. "There were some complaints that the people attending some of these helplines could only speak in Kannada, and not the English or Hindi that people calling for help were expecting. Even such positive steps were executed badly." Mr Prakash informs.</p>
<p>
For more details visit <a href='https://cis-india.org/news/www-merinews-com-wahid-bukhari-august-23-2012-northeast-exodus'>https://cis-india.org/news/www-merinews-com-wahid-bukhari-august-23-2012-northeast-exodus</a>
</p>
No publisherpraskrishnaIT ActSocial mediaFreedom of Speech and ExpressionPublic AccountabilityInternet GovernanceCensorship2012-09-04T04:06:46ZNews Item"All Indian Enterprises should Be Very Worried": Centre for Internet and Society
https://cis-india.org/news/computer-world-india-feature-shubra-rishi-feb-25-2013-all-indian-enterprises-should-be-very-worried
<b>The DoT’s CERT team has successfully censored more than 70 URLs that didn’t particularly contain praises of IIPM. Amusingly, a URL containing a public notice issued by the University Grants Commission (UGC) in July 2012 was also blocked. </b>
<hr />
<p style="text-align: justify; ">This blog post by Shubhra Rishi was<a class="external-link" href="http://www.computerworld.in/feature/%E2%80%9Call-indian-enterprises-should-be-very-worried%E2%80%9D-centre-internet-and-society-75742013"> published</a> in Computer World on February 25, 2013. Pranesh Prakash is quoted.</p>
<hr />
<p style="text-align: justify; ">The chairman of the Indian Institute of Planning and Management (IIPM) is having a Barbara Streisand moment.<br /><br />The American entertainer Barbra Streisand, in 2003, attempted to suppress photographs of her residence, involuntarily and indirectly fuelling further publicity. Arindam Chaudhuri’s order from a Gwalior Court has unfortunately resulted in more or less the same.</p>
<p style="text-align: justify; ">The DoT’s CERT team has successfully censored more than 70 URLs that didn’t particularly contain praises of IIPM. Amusingly, a URL containing a public notice issued by the University Grants Commission (UGC) in July 2012 was also blocked. The UGC notice said that IIPM cannot be recognized as a university according to the provisions of a particular section.</p>
<p style="text-align: justify; ">So while this issue has managed to hold our attention, it has also fervently highlighted the misappropriation of section 69 of India’s Information Technology (IT) Act 2000. According to this act, if the Director of Controller is satisfied that it is necessary or expedient so, he/she may order or direct any agency of the Government to intercept any information transmitted through any computer resource.</p>
<p style="text-align: justify; ">In short, intercepting or blocking is counter-productive in today’s scenario and is often seen as a direct infringement of people’s online freedom. “The Constitution of India does not put so many restrictions on the freedom of speech and expression that IT Act puts under a particular section,” says cyber law expert, Pavan Duggal.</p>
<p style="text-align: justify; ">Legal experts are also of the opinion that several provisions of the IT Act are unconstitutional. “It does not have built-in safeguards, especially transparency-related ones, around surveillance and censorship. Censorship in India, especially under the IT (Intermediary Guidelines) Rules 2011, is completely opaque and results in invisible censorship, meaning that we don't even get to find out that censorship has happened and thus cannot challenge it,” says Pranesh Prakash, policy director, Centre for Internet and Society.<br /><br />In the past, independent activists such as Binayak Sen, Assem Trivedi, and Arundhati Roy, or even commoners such as Shaheen Dhadha have come under fire of the said Act.<br /><br />Frankly, if this loophole in the IT Act is not addressed, even Indian corporations could face a similar problem.<br /><br />“I believe all intermediaries (websites that host user content, and networks that carry user traffic among others) are threatened now. Their executives can be dragged to court without any protection; thanks to the broad wording of the IT (Intermediary Guidelines) Rules 2011, despite the IT Act itself granting them some protections. This is dangerous, and all Indian enterprises should be very worried,” says Prakash.</p>
<p style="text-align: justify; ">CorporateIndiawill have to tighten its belts. Despite the fact that the entire IT Act needs to be overhauled and employees need to be sensitized, currently, the first thing that corporate India needs to do is ensure that its operations in electronic format comply with the IT Act and its rules. “There's a lack of awareness about compliances in the corporate sector. Any kind of “jugaad” may not help a company get out of a potential exposure under the IT Act. An effective implementation of these compliances will relieve companies of the IT Act’s potential liabilities, both civil and criminal,” advises Duggal.<br /><br />So the Streisand effect in the IIPM case will slowly wear off, but the potential threat of the IT Act will continue to haunt enterprises.</p>
<p>
For more details visit <a href='https://cis-india.org/news/computer-world-india-feature-shubra-rishi-feb-25-2013-all-indian-enterprises-should-be-very-worried'>https://cis-india.org/news/computer-world-india-feature-shubra-rishi-feb-25-2013-all-indian-enterprises-should-be-very-worried</a>
</p>
No publisherpraskrishnaIT ActInternet Governance2013-02-28T09:21:32ZNews ItemNo Civil Society Members in the Cyber Regulations Advisory Committee
https://cis-india.org/internet-governance/blog/cyber-regulations-advisory-committee-no-civil-society
<b>The Government of India has taken our advice and reconstituted the Cyber Regulations Advisory Commitee. But there is no representation of Internet users, citizens, and consumers — only government and industry interests.</b>
<p>In multiple op-eds (<a href="http://cis-india.org/internet-governance/blog/india-broken-internet-law-multistakeholderism">Indian Express</a> and <a href="http://cis-india.org/internet-governance/blog/livemint-opinion-november-28-2012-pranesh-prakash-fixing-indias-anarchic-it-act">Mint</a>), I have pointed out the need for the government to reconstitute the "Cyber Regulations Advisory Committee" (CRAC) under section 88 of the Information Technology Act. That it be reconstituted along the model of the Brazilian Internet Steering Committee was also <a href="http://docs.google.com/viewer?url=www.iigc.in%2Fhtm%2F2.pdf">part of the suggestions that CIS sent to the government</a> after a <a href="http://www.thehindu.com/todays-paper/tp-national/tp-newdelhi/government-to-hold-talks-with-stakeholders-on-internet-censorship/article3860393.ece">meeting FICCI had convened along with the government on September 4, 2012</a>.</p>
<p>Section 88 requires that people "representing the interests principally affected" by Internet policy or "having special knowledge of the subject matter" be present in this advisory body. The main function of the CRAC is to advise the the Central Government "either generally as regards any rules or for any other purpose connected with this Act".</p>
<p>Despite this important function, the CRAC had — till November 2012 — only ever met twice, <a href="http://cis-india.org/internet-governance/resources/deity-response-to-rti-on-decisions-of-crac">both times in 2001</a>. The response to an RTI informed us that the body had never provided any advice to the government.</p>
<h2 id="government-not-serious">Government Not Serious</h2>
<p>The increasing pressure on the government for botching up Internet regulations has led it to reconstitute the CRAC. However, the list of members of the committee shows that the government is not serious about this committee representing "the interests primarily affected" by Internet policy.</p>
<p>Importantly, this goes against the express wish of the Shri Kapil Sibal, the Union Minister for Communications and IT, who has repeatedly stated that he believes that Internet-related policymaking should be an inclusive process. Most recently, at the 2012 Internet Governance Forum he stated that we need systems that are:</p>
<blockquote>
"collaborative, consultative, inclusive and consensual, for dealing with all public policies involving the Internet"
</blockquote>
<p>Interestingly, despite the Hon'ble Minster verbally inviting civil society organizations (on November 23, 2012) for a meeting of the CRAC that happened on November 25, 2012, the Department of Electronics and Information Technology refused to send us invitations for the meeting. This hints at a disconnect between the political and bureaucratic wings of the government, at least at some levels.</p>
<p>Interestingly, this isn't the first time this has been pointed out. Na. Vijayashankar was levelling similar criticisms against the CRAC <a href="http://www.naavi.org/cl_editorial/edit_18aug00_1.html">way back in August 2000</a> when the original CRAC was constituted.</p>
<h2 id="breakdown-by-stakeholder-groupings">Breakdown by Stakeholder Groupings</h2>
<p>While there is no one universal division of stakeholders in Internet governance, but four goups are widely recognized: governments (national and intergovernmental), industry, technical community, and civil society. Using that division, we get:</p>
<ul>
<li>Government - 15 out of 22 members</li>
<li>Industry bodies - 6 out of 22 members</li>
<li>Technical community / Academia - 1 out of 22 members</li>
<li>Civil society - 0 out of 22 members.</li>
</ul>
<h2 id="list-of-members-of-cyber-regulatory-advisory-committee">List of Members of Cyber Regulatory Advisory Committee</h2>
<p>The official notification <a href="http://deity.gov.in/sites/upload_files/dit/files/gazzate(1).pdf">(G.S.R. 827(E)) is available on the DEIT website</a> and came into force on November 16, 2012.</p>
<p>(Note: Names with <del>strikethroughs</del> have been removed from the CRAC since 2000, and those with <i>emphasis</i> have been added.)</p>
<ol>
<li>Minister, Ministry of Communication and Information Technology - Chairman</li>
<li><i>Minister of State, Ministry of Communications and Information Technology - Member</i></li>
<li>Secretary, Ministry of Communication and Information Technology, Department of Electronics and Information Technology - Member</li>
<li>Secretary, Department of Telecommunications - Member <br /><del>Finance Secretary - Member</del></li>
<li>Secretary, Legislative Department - Member</li>
<li><i>Secretary, Department of Legal Affairs - Member</i> <br /><del>Shri T.K. Vishwanathan, Presently Member Secretary, Law Commission - Member</del></li>
<li>Secretary, Ministry of Commerce - Member</li>
<li>Secretary, Ministry of Home Affairs - Member</li>
<li>Secretary, Ministry of Defence - Member</li>
<li>Deputy Governor, Reserve Bank of India - Member</li>
<li>Information Technology Secretary from the states by rotation - Member</li>
<li>Director, IIT by rotation from the IITs - Member</li>
<li>Director General of Police from the States by rotation - Member</li>
<li>President, NASSCOM - Member</li>
<li>President, Internet Service Provider Association - Member</li>
<li>Director, Central Bureau of Investigation - Member</li>
<li>Controller of Certifying Authority - Member</li>
<li>Representative of CII - Member</li>
<li>Representative of FICCI - Member</li>
<li>Representative of ASSOCHAM - Member</li>
<li><i>President, Computer Society of India - Member</i></li>
<li>Group Coordinator, Department of Electronic and Information Technology - Member Secretary</li>
</ol>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/cyber-regulations-advisory-committee-no-civil-society'>https://cis-india.org/internet-governance/blog/cyber-regulations-advisory-committee-no-civil-society</a>
</p>
No publisherpraneshIT ActInternet GovernancePublic Accountability2013-01-09T17:56:57ZBlog EntryPorn ban: People will soon learn to circumvent ISPs and govt orders, expert says
https://cis-india.org/internet-governance/news/the-times-of-india-august-2-2015-karthikeyan-hemalatha-porn-ban
<b></b>
<p style="text-align: justify; ">The article by Karthikeyan Hemalatha was published in the <a class="external-link" href="http://timesofindia.indiatimes.com/tech/tech-news/Porn-ban-People-will-soon-learn-to-circumvent-ISPs-and-govt-orders-expert-says/articleshow/48320914.cms">Times of India</a> on August 2. Pranesh Prakash gave inputs.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">The government used other sections of the Act to circumvent this provision. Sources in the Department of Telecommunication, which comes under the ministry of communications and information technology, said a notification had been issued under Section 79 (b) of IT Act under which internet service providers could be penalized for not following government orders. "Though the section protects an internet service provider (ISP) from legal action for the content it may allow, it can be penalized for not following government orders to ban them," said Prakash.<br /> <br /> Last month, the Supreme Court declined to pass an interim order to block websites which have pornographic content. "Such interim orders cannot be passed by this court. Somebody may come to the court and say 'look I am above 18 and how can you stop me from watching it within the four walls of my room?' It is a violation of Article 21 [right to personal liberty]," said Chief Justice H L Dattu.<br /> <br /> The judge was reacting to a public interest litigation filed by advocate Kamlesh Vashwani who was seeking to block porn websites in the country. "The issue is definitely serious and some steps need to be taken. The Centre is expected to take a stand. Let us see what stand the Centre will take," the Chief Justice said and directed the Centre to reply within four weeks. Over the weekend, the stance became clear.<br /> <br /> Sources also say that Section 19 (2) of the Constitution was used for the ban. The section allows the government to impose "reasonable restrictions in the interest of sovereignty and integrity of India, security of the state, decency or morality or in relation to contempt of court."<br /> <br /> For netizens, the government could actually be providing crash courses on proxy sites. "This is the best way to teach people on how to circumvent ISPs and government orders," said Prakash, adding that real abusive porn sites might still be available.<br /> <br /> "There is no dynamic mechanism to block all sites with pornographic content. The government has to individually pick URLs (uniform resource locator) to ban websites. Right now, only popular websites have been banned and the little known abusive sites like those that propagate revenge porn or child porn," said Prakash. "No ban can be comprehensive," he added.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/the-times-of-india-august-2-2015-karthikeyan-hemalatha-porn-ban'>https://cis-india.org/internet-governance/news/the-times-of-india-august-2-2015-karthikeyan-hemalatha-porn-ban</a>
</p>
No publisherpraneshIT ActCensorshipFreedom of Speech and ExpressionInternet GovernanceDigital MediaChilling Effect2015-08-05T01:47:52ZNews ItemPorn block in India sparks outrage
https://cis-india.org/internet-governance/news/the-australian-news-august-5-2015-amanda-hodge-porn-block-in-india-sparks-outrage
<b>
India’s government has triggered a storm of protest after blocking 857 alleged pornography websites, with privacy and internet freedom campaigners, as well as consumers, condemning the move as arbitrary and unlawful.
</b>
<div>
<p style="text-align: justify; ">The article by Amanda Hodge was published in the <a class="external-link" href="http://www.theaustralian.com.au/news/world/porn-block-in-india-sparks-outrage/story-e6frg6so-1227470074078">Australian</a> on August 5, 2015. Pranesh Prakash gave his inputs.</p>
<hr />
<p style="text-align: justify; ">The order, enforced since Sunday by the country’s main internet service providers, comes amid debate about the influence of pornography on sex crime in India, and as the Supreme Court considers a petition by lawyer Kamlesh Vaswani to ban pornographic websites that harm children.</p>
<p style="text-align: justify; ">The government has been forced to defend the move, saying it was taken in response to Supreme Court criticism at inaction against child pornography websites, although the Supreme Court itself has refused to impose any interim ban while it considers the petition. The websites — a fraction of the world’s millions of internet pornography sites — will remain blocked until the government figures out how to restrict access, a spokesman said.</p>
<p style="text-align: justify; ">Critics have slammed the measure as unconstitutional and pointed out the list includes adult humour sites that contain no pornographic content. Others have suggested it is another intrusion into the private lives of ordinary Indians by an administration intent on pushing a puritanical Hindu agenda, citing the recent ban on beef in several states and an alleged “Hindu-isation” of school textbooks.</p>
<p style="text-align: justify; ">That prompted outrage from Telecom Minister Ravi Shankar Prasad. “I reject with contempt the charge that it is a Talibani government. Our government supports free media, respects communication on social media and has respected freedom of communication always,” he said.</p>
<p style="text-align: justify; ">While India has no law preventing citizens accessing internet pornography, regulations do restrict the publishing of “obscene information in electronic form”. Centre for Internet and Society policy director Pranesh Prakash told <i>The Australian </i>yesterday that some elements of that act were welcome — such as prohibition of child pornography and the uploading of a person’s private parts without consent — but “the provisions relating to ‘sexually explicit materials’ are far too broad, with no exceptions made for art, architecture, education or literature”.</p>
<p style="text-align: justify; ">Mr Prakash said the pornography ban amounted to an “abdication of the government’s duty”, given the list of sites blocked was provided on request to the government by one of the Vaswani petitioners. “The additional solicitor-general essentially asked one of the petitioners to provide a list of websites, which she passed on to the Department of Information Technology, which in turn passed to Department of Telecommunications asking for them to be blocked or disabled.</p>
<p style="text-align: justify; ">“That is not acceptable in a democracy where it is not the government which has actually found any of these websites to be unlawful.” Mr Prakash also criticised the secrecy surrounding the order, which he said contravened Indian law requiring a public declaration of any intended ban so that it might be challenged. The bans were made under “Rule 12” of India’s IT Act, which empowers the government to force ISPs to block sites when it is “necessary or expedient”.</p>
</div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/the-australian-news-august-5-2015-amanda-hodge-porn-block-in-india-sparks-outrage'>https://cis-india.org/internet-governance/news/the-australian-news-august-5-2015-amanda-hodge-porn-block-in-india-sparks-outrage</a>
</p>
No publisherpraneshIT ActCensorshipFreedom of Speech and ExpressionInternet GovernanceDigital MediaChilling Effect2015-08-05T02:10:46ZNews ItemPlace for a safety net
https://cis-india.org/internet-governance/news/the-telegraph-july-10-2016-place-for-a-safety-net
<b>Vinupriya took her life last week, humiliated by the morphed images of her naked body posted on a social media site. Experts warn that the spike in Internet traffic brings with it an increase in online sexual crimes. Measures must be taken urgently to save lives, they tell T.V. Jayan.
</b>
<p align="justify"><a class="external-link" href="http://www.telegraphindia.com/1160710/jsp/7days/story_95759.jsp">The article was published in the Telegraph on July 10, 2016</a>.</p>
<hr />
<p align="justify">Sangeeta (not her name) was 25 and working for a private company in Mumbai when she suddenly told her family that she was going to quit her job and stay at home. Her parents were flummoxed, but questioning and coaxing yielded no answers. As the days rolled on, the management graduate slipped into depression. Her worried family took her to a counsellor. And it was only then that she came out with her story.</p>
<p align="justify">Soon after she joined the company, Sangeeta got romantically involved with her boss. By the time she learnt he was married, the involvement had taken a physical turn. And when she tried to put an end to it, the man, who had recorded their intimate moments, used the video clips to blackmail her for sexual favours. After Sangeeta's confession and a police complaint, the blackmailing boss was nabbed and put behind bars.</p>
<p align="justify">Vinupriya, an undergraduate student from Salem, Tamil Nadu, was not so lucky. She found that her morphed images had been uploaded on Facebook. She committed suicide last week after her parents refused to believe her story, and the police failed to act swiftly.</p>
<p align="justify">Cyber experts are alarmed by the increase in online crimes against women in India. According to them, what is more worrying is that though the risks are catastrophic, the issues are not being addressed at a larger level.</p>
<p align="justify">"Vinupriya's case is particularly frightening. I suspect this would be the first of many such tragedies. They might even result in honour killings, as such crimes can destroy the reputation of families," says American cyber lawyer Parry Aftab, executive director of the voluntary organisation, Wired Safety, which she founded 20 years ago, and which deals extensively with cyber stalking and other crimes.</p>
<p align="justify">Earlier this week, a man was arrested in Delhi for sending obscene messages to more than 1,500 women in the National Capital Region. According to the police, the miscreant would randomly dial any number and if the caller turned out to be a woman, he would save the number and later check out her WhatsApp profile picture. He would then send obscene clips to the woman. One news report said some of the marriages were in trouble because husbands had seen the messages and suspected that their wives were in a relationship with the man sending those explicit messages.</p>
<p align="justify">Aftab has been studying the dangers of online stalking for a while. There are no figures on this in India, but a top United Nations official, stationed in New Delhi and dealing with trafficking, told her that about 500 rape and sexual assault cases were recorded and shared over WhatsApp in India this year.</p>
<p align="justify">She referred to a study conducted in the US that said one in three girls and boys engaged in sexting. Children involved in sexting contemplated suicide three times more than others of the same age, she said.</p>
<p align="justify">According to her, Wired Safety volunteers come across five cases of sextortion and sexting every day from Asian countries, including India, and act upon them by red-flagging social media organisations where such images are posted.</p>
<p align="justify">Pavan Duggal, a cyber lawyer based in Delhi, feels that social media service providers are not doing enough to stop online sexual abuse. "They are hiding behind a 2015 Supreme Court judgment, which said content can be removed only on judicial orders or in response to government notifications," he says.</p>
<p align="justify">The verdict he refers to was delivered in a case filed by a student called Shreya Singhal. In 2012, two girls were arrested over their Facebook post questioning the Mumbai shutdown for Shiv Sena patriarch Bal Thackeray's funeral. The incident made an impression on Singhal, a student of astrophysics at the University of Bristol, who was in India at the time.</p>
<p align="justify">Upon research she discovered that Section 66(A) of India's IT Act was subjective and any seemingly offensive social media post could land anyone in jail. Singhal filed a writ petition in the Supreme Court protesting that the section violated the constitutional right to freedom of speech and expression, and in 2015, the apex court ruled in her favour.</p>
<p align="justify">This judgment, however, emboldened cyber miscreants. "All the cyber bullies and cyber stalkers now have a misplaced feeling that nothing can happen to them," says Duggal. He points out that while the delivery of justice takes time, the harassment happens 24x7.</p>
<p align="justify">"Who do the victims turn to for help? There are provisions in the 2011 IT rules that clearly say that social medial service providers should have rules and regulations in place to deal with objectionable content, but they do not act," he holds.</p>
<p align="justify">Aftab, however, believes that some efforts are in place. She cites the example of Microsoft's PhotoDNA technology, which is used by many social media and online search firms, including Facebook, Google and Twitter, to prevent child pornography on the Internet. PhotoDNA works by creating a number of mini hashes on a single image and combining them to have a full hash. If anything is changed, even a pixel, then the hash signature will not match.</p>
<p align="justify">But she holds that on a larger scale, it is difficult to technologically deal with revenge porn, sextortion (using a sexual or provocative image to blackmail people for sexual favours) and sexting (sharing sexually provocative images of people, especially women) with the intention of damaging reputation.</p>
<p align="justify">Sunil Abraham, executive director of the Bangalore-based Centre for Internet and Society, hints at a lack of initiative on the part of the social media organisations. "When it comes to enforcing intellectual property, organisations like Facebook do an excellent job of keeping their platform free of copyright infringement," he says. "So, clearly these companies can police activities on their platform when it affects their bottom-line."</p>
<p align="justify">And while this debate continues, more and more Indians join the online experience, thereby increasing the chances of more such cases. Aftab, who plans to set up a voluntary organisation relating to cyber safety in India, says it is best to focus on proactive measures in the interim.</p>
<p align="justify">Last month, she addressed 1,200 teenage girls from a Bangalore college. "One of the first questions posed to me was from a young girl who said she was currently being blackmailed by someone who threatened to morph her pictures into sexually explicit images and send them to her family and others. Morphed image issue seems to be a lot more serious in India than in the West."</p>
<p align="justify">The problem, she stresses, is that such incidents can lead to self-harm. To counter this, the affected person needs to inform his or her family and enlist their support. Together, they should approach social media organisations to ensure that the objectionable content is removed in time. To prevent the offenders from doing further harm, they then need to take the help of law enforcement agencies.</p>
<p align="justify">"The government for its part must amplify the voices of women and hold these Internet corporations accountable for an information escrow. There should be an independent mechanism to monitor whether Internet platforms are taking complaints from women seriously," Abraham says. Only then can a young girl like Vinupriya pluck up the courage to fight online abuse.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/the-telegraph-july-10-2016-place-for-a-safety-net'>https://cis-india.org/internet-governance/news/the-telegraph-july-10-2016-place-for-a-safety-net</a>
</p>
No publisherpraskrishnaIT ActInternet Governance2016-07-13T02:45:56ZNews Item