Regulating ‘Indian’ Cyberspace

Regulating ‘Indian’ Cyberspace – The Battle for

‘Control’ in the New Media Version 2.0

Cyber hacking poses a serious threat to all internet based activities and transactions.

Inspite of recent amendments, the Information Technology Act does not deal with

cyber crimes effectively. What is urgently required is a detailed data protection law.

Traditional legal systems have had great difficulty in keeping

pace with the rapid growth of the Internet and its impact

throughout the world. Whilst laws have been enacted and a

few cases have been decided that affect the Internet, they

have left most of the difficult legal issues to the future. Inspite

of the recent proliferation of legislation world-wide, it is

unlikely that courts and legislators will be able to provide

sufficient guidance in a timely fashion to business (and

lawyers) to enable them to engage in commerce on, or

otherwise take advantage of, the Internet in a manner that

avoids or minimises unexpected consequences or liabilities.

Internet and electronic based trading systems are affecting

all aspects of commercial/business entities. The Internet

revolution allows IT-centric management to make timelier

and higher quality decisions.

The Internet has tested the limits of regulation, prompting

some to declare ‘independence’1 and yet others to declare

it beyond the limits of governance2 . Jack Goldsmith and

Tim Wu in their recent text focus on state responses to the

Internet’s challenge to national sovereignty.3 Goldsmith

and Wu explore three main arguments. First, the Internet

is a medium like any other, and national governments

continue to exercise control over the Internet by exercising

national law. Second, geography and government retain

their central importance in the Internet despite continued

globalisation. Third, an increasingly ‘bordered’ Internet is

an important development.

When the preliminary draft version of India’s internet and ecommerce

legislation was prepared it was entitled – “Electronic

Commerce Bill”; in line with its prime objectives and duly

referring to the Ministry of Commerce which produced it.

With the creation of the Ministry of Information Technology,

the draft Bill was re-christened with a rather ‘generic’ title.

The raison d’être of the Information Technology Act, 2000

(enacted on October 17, 2000, the “IT Act”) was - “functional

equivalence” that electronic records and transactions would

be accorded an equal weight in evidence law as ‘traditional

paper records’.

The General Assembly of the United Nations by resolution

dated the 30th January, 1997 had adopted the Model Law on

Electronic Commerce and recommended that all States should

give favourable consideration to it when they enact or revise

their laws.

The Information Technology Act, 2000 has been passed to

give effect to the UN resolution and to promote efficient

delivery of Government services by means of reliable electronic

records.

The amendments: A ‘reaction’

The amendments to the Information Technology Act to a

measurable extent are a “reaction” to recent developments such

as service provider liability issues and auction sites; sleazy

MMS clips and the like. In major part, desirable as most

reactions are, offences under the Act have been made

compoundable4 ; that is to say, the parties can compound the

case i.e. settle it between themselves. This is welcome as most

crimes target specific individuals and it is right for individuals

to sort out the situation.

e-mail :

rodney.ryder@kochhar.com

1. In February 1996, John Perry Barlow issued a manifesto called <A

Declaration of the Independence of Cyberspace> available at <http://

www.eff.org/pub/Publications/John_Perry_Barlow/barlow0296.

declaration>

2. Johnson, David R. /Post, David G., Law and Borders - The Rise of Law in

Cyberspace, 48 Stanford Law Review 1367 – 1402 [1996].

3. Who Controls the Internet? Illusions of a Borderless World, Oxford

University Press

4. Section 77A provides that the ‘offences under sections 66, 66A, 72 and

72A may be compounded by the aggrieved person.’

Articles

The offences which have been made compoundable

are:

􀂄 Section 66 : If a person dishonestly or fraudulently does

any act which damages the computer or the computer

system, he is liable to a fine of up to five lakhs or be

imprisoned for a term of up to three years. A host of

new sections have been added to section 66 as sections

66A to 66F prescribing punishment for offenses such as

obscene electronic message transmissions, identity theft,

cheating by impersonation using computer resource,

violation of privacy and cyber terrorism.

􀂄 Section 66A: If any person sends by means of a computer

resource or a communication any content which is grossly

offensive or has a menacing character or which is not

true but is sent to create nuisance, annoyance, criminal

intimidation, hatred or ill will etc. shall be imprisoned

for an imprisonment term which may be up to three

years combined with a fine.

􀂄 Section 67 of the old Act is amended to reduce the term

of imprisonment for publishing or transmitting obscene

material in electronic form to three years from five years

for first conviction and increase the fine thereof from

Indian Rupees 100,000 (approximately USD 2000) to

Indian Rupees 500,000 (approximately USD 10,000).

A host of new sections have been inserted as Sections 67

A to 67C. While Sections 67 A and 67 B insert penal

provisions in respect of offences of publishing or

transmitting material containing sexually explicit act and

child pornography in electronic form, section 67C deals

with the obligation of an intermediary to preserve and

retain such information as may be specified for such

duration and in such manner and format as the Central

Government may prescribe.

􀂄 In view of the increasing threat of terrorism in the country,

the new amendments include an amended section 69 giving

power to the State to issue directions for interception or

monitoring of decryption of any information through any

computer resource. Further, sections 69 A and 69 B, two

new sections, grant power to the state to issue directions

for blocking for public access of any information through

any computer resource and to authorize to monitor and

collect traffic data or information through any computer

resource for cyber security.

􀂄 Section 72: If a person is found in possession of some

information like electronic record, book, register,

correspondence and he is found disclosing it to any third

party without the consent of the person concerned, then

he shall be punished with imprisonment for a term which

may be up to two years, or a fine which may extend to

One Lakh rupees, or with both.

􀂄 Section 72A: If any person while providing services under

the terms of the contract, has secured access to any

material containing personal information about another

person, with the intent to cause wrongful loss or wrongful

gain discloses the information, without the person’s

consent or in breach of a lawful contract, shall be

punished with imprisonment for a term which may extend

to three years or with fine which may extend to five

lakh rupees or with both.

THE ‘MEDIUM’ NOT THE ‘MACHINE’/‘DEVICE’

It is important to remember that the Internet is principally a

medium; which can be regulated by regulating its “layers”. A

law to be effective must apply to (or regulate) one or more

“layer” that is: (a) the physical (the wires, hardware, the

‘device’ itself); (b) the digital (the code or the “spectrum”) or

(c) content (whether prohibited socially censored comments

or proprietary material).

DATA PRIVACY AND INFORMATION SECURITY

In view of recent concerns about the operating provisions in

the IT Act related to “Data Protection and Privacy” in addition

to contractual agreements between the parties the existing

Sections (viz. 43, 65, 66 and 72A) have been revisited and

some amendments/more stringent provisions have been

provided for in the Act. Notably amongst these are:

􀂄 Section 43(A) is related to handling of sensitive

personal data or information with reasonable security

practices and procedures. This section has been inserted

to protect sensitive personal data or information

possessed, dealt or handled by a body corporate in a

computer resource which such body corporate owns,

controls or operates. If such body corporate is negligent

in implementing and maintaining reasonable security

practices and procedures and thereby causes wrongful

loss or wrongful gain to any person, it shall be liable

to pay damages by way of compensation to the person

so affected.

􀂄 Gradation of severity of computer related offences

under Section 66 has been amended, now if an offence

is committed dishonestly or fraudulently then

punishment is for a term which may extend to three

years or a fine which may extend to Rs 5 lakhs or with

both;

􀂄 The addition of Section 72 A for breach of confidentiality

with the intent to cause injury to a subscriber. This is

Regulating ‘Indian’ Cyberspace – The Battle for ‘Control’ in the New Media Version 2.0

Articles

recognised as providing sufficient protection under the

EC Directive.5

Contractual agreements are those agreements which are

signed between parties where one party provides services

on the basis of the contract signed. There is always a

provision in any contractual agreement of not to disclose

any information which is imperative for the running of the

business. According to Section 72 A if anyone is found

disclosing any information of a third person, without his

consent he shall be punished with imprisonment upto three

years or a fine of Rs 500,000.

The problem remains with ambiguous phrases. For instance,

the amended Section 43A makes it mandatory for companies

to include ‘reasonable security practices and procedures’ while

handling data. “Reasonables security practices and procedures”

has been clearly defined in “explanation” under section 43A.

It is recommended that organisations follow the standards

prescribed by the Computer Emergency Response Team

(CERT). CERT’s primary role is to raise security awareness

among the cyber community and to provide technical assistance

and advice them to help them recover from computer security

incidents.

CERT provides technical advice to System Administrators and

users to respond to computer security incidents. It also identifies

trends in intruder activity, works with other similar institutions

and organisations to resolve major security issues, and

disseminates information to the cyber community. CERT also

enlightens its constituents about the security awareness and

best practices for various systems and networks by publishing

advice, guidelines and other technical documents. The

European Network and Information Security Agency (ENISA)

performs similar functions to the CERT. The basic regulation

which established ENISA is the Regulation (EC) No 460/

2004.6

NODAL AGENCY

The new amended Act of 2008, enforced on 27.10.2009

provides for a central agency in respect of Critical Information

Infrastructure7 . Further Indian computer emergency response

team has been nominated for coordinating all actions relating

to information security practices, procedures, guidelines,

incident prevention, response and reporting.8

CYBER CRIME, EVIDENCE AND PUNISHMENT

The Act provides for essentially economic offences or crimes

in the medium that are linked to economic loss or detriment.

The Government would do well to take a proverbial leaf from

the OECD Guidelines for the Security of Information Systems

and Networks9 and the Council of Europe’s Convention on

Cybercrime.10 Social offences like pornography when included

are superfluous due to the existing provisions in the Indian

Penal Code covering pornography. Though pornography has

not been defined under the code, section 292 clearly states

that “a book, pamphlet, paper, writing, drawing, painting

representation, figure or any other object, shall be deemed to

be obscene if it is lascivious or appeals to the prurient interest

or if its effect,” Neither has the language or expression changed

from 1860, the year when the Indian Penal Code came into

force. The inclusion of a provision banning child pornography

could well be a case of ‘over legislation’ considering the

existing blanket ban on pornography per se; both in the

Information Technology Act, 2000 (section 67) as well as the

Indian Penal Code, 1860 (section 292).

Section 84(A) has been inserted for providing modes and

methods for encryption for secure use of the electronic

medium. This is a welcome guidance. Section 69, related to

power to issue directions for interception or monitoring or

decryption of any information through any computer resource,

has been amended to take care of the concerns of the Ministry

of Home Affairs which include the safety, sovereignty,

integrity of India, defence of India, to maintain friendly

relations with other nations and preventing incitement to the

commission of any cognizable offence relating to these.

5. Directive 2002/58/EC of the European Parliament and of the Council of

12 July 2002 concerning the processing of personal data and the protection

of privacy in the electronic communications sector (Directive on privacy and

electronic communications) available at <http://eurlex.europa.eu/

LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:EN:HTML>

6 See REGULATION (EC) No 460/2004 OF THE EUROPEAN PARLIAMENT

AND OF THE COUNCIL of 10 March 2004 establishing the European

Network and Information Security Agency available at <http://

eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2004:077:

0001:0011:EN:PDF>

7 “Information infrastructures form an essential part of critical

infrastructures. In order effectively to protect critical infrastructures, therefore,

countries must protect critical information infrastructures from damage and

secure them against attack. Effective critical infrastructure protection includes

identifying threats to and reducing the vulnerability of such infrastructures

to damage or attack, minimizing damage and recovery time in the event that

damage or attack occurs, and identifying the cause of damage or the source

of attack for analysis by experts and/or investigation by law enforcement.”

G8 Principles for Protecting Critical Information Infrastructures (Adopted

by the G8 Justice & Interior Ministers, May 2003) available at <http://

www.usdoj.gov/criminal/cybercrime/g82004/G8_CIIP_Principles.pdf>

8. Section 70 A of the Act

9. See OECD Guidelines for the Security of Information Systems and Networks

available at <http://www.oecd.org/dataoecd/16/22/15582260.pdf>

10. Convention on Cybercrime available at <http://conventions.coe.int/

Treaty/en/Treaties/Html/185.htm>

Regulating ‘Indian’ Cyberspace – The Battle for ‘Control’ in the New Media Version 2.0

Articles

New section 79 A11 (Examiners of Electronic Evidence) has

been added to notify the examiners of electronic evidence by

the Central Government. This will help the Judiciary/

Adjudicating officers in handling technical issues.

Section 79 has been revised to bring-out explicitly the extent

of liability of intermediary in certain cases. The EU Directive

on E-Commerce 2000/31/EC issued on June 8, 2000 has been

used as a guiding document.12

OTHER AMENDMENTS

􀂄 The term “digital signature” has been replaced with

“electronic signature”.

􀂄 “Communication Device” has been defined as cell

phones, personal digital assistance or combination of both

or any other device used to communicate, send or

transmit any text, video, audio or image.

􀂄 “Cyber café” has been defined as any facility from

where the access to the internet is offered by any person

in the ordinary course of business to the members of

the public.

􀂄 A new definition has been inserted for “intermediary”.

“Intermediary” with respect to any particular electronic

records, means any person who on behalf of another

person receives, stores or transmits that record or

provides any service with respect to that record and

includes telecom service providers, network service

providers, internet service providers, web-hosting

service providers, search engines, online payment sites,

online-auction sites, online market places and cyber

cafes, but does not include a body corporate referred

to in Section 43A.

􀂄 New section 10A has been inserted to the effect that

contracts concluded electronically shall not be deemed

to be unenforceable solely on the ground that electronic

form or means was used.

􀂄 The damages of Rs. One Crore (approximately USD

200,000) earlier prescribed under section 43 of the Act

for damage to computer, computer system etc. has been

deleted and the relevant parts of the section have been

substituted by the words, “he shall be liable to pay

damages by way of compensation to the person so

affected”.

􀂄 A proviso has been added to Section 81 which states

that the provisions of the Act shall have overriding

effect. The proviso states that nothing contained in the

Act shall restrict any person from exercising any right

conferred under the Copyright Act, 1957 or the Patents

Act, 1970.

DRAWBACKS OF THE NEW PROVISIONS

The amendments ignore existing international classifications

of cyber crimes. The Council of Europe’s Convention on

Cybercrime13 identifies the following as offences which should

be incorporated into substantive criminal law; some of the

provisions are particularly relevant, which are:

I. Computer-related offences

Computer-related fraud (Art. 8)

II. Content-related offences

Racial hatred, obscenity, amongst other classifications

III. Offences related to infringements of copyright and related

rights

Offences related to infringements of copyright and related

rights (Art.10)

TOWARDS A PRIVACY REGIME

While the amended version of the Act strengthens provisions

on confidentiality and data privacy; the inclusion of a solitary

provision on data privacy is quite in contrast to Europe where

data protection provisions are enshrined in Directives at the

EU level and in national legislation. In fact, data protection is

sine qua non for aspirant members to the European Union,

and also for companies who receive data from the EU. “Data

subjects” must have rights enshrined in explicit rules with a

detailed enforcement mechanism rather than relying on a lone

section to do the task elsewhere performed by an entire Act!

A detailed data protection law is needed; not merely for the

ITES industry but for the citizens of India. The right to know

balanced with the right to privacy is the hallmark of a

democracy. 􀂉

11. Section 79A – ‘The Central Government may, for the purposes of providing

expert opinion on electronic form evidence before any court or other authority

specify, by notification in the Official Gazette, any Department, body or

agency of the Central Government or a State Government as an Examiner of

Electronic Evidence.’

12. See Section 4 Article 12 of EU Directive on E-Commerce 2000/31/EC

issued on June 8th 2000 available at <http://eurlex.europa.eu/smartapi/

cgi/sga_doc?smartapi!celexapi!prod!CELEXnumdoc&lg=en&numdoc

=32000L0031&model=guichett>

13. See Convention on Cybercrime available at <http://conventions.coe.int/

Treaty/en/Treaties/Html/185.htm>

Regulating ‘Indian’ Cyberspace – The Battle for ‘Control’ in the New Media Version 2.0

Tags :Corporate Law