We have often discussed Section 79 of the ITA-2000 which protects the
ISP s from liability for Content carried by him. In this connection we
have defended the Cyber Cafe owner's cause against undue harassment by
law enforcement authorities.
Simultaneously, we need to alert the ISP s and the professionals working
in ISP s about the responsibility cast on them by Section 65 of the ITA-2000.
It appears that most ISP s have not clearly understood the implications
of the same. Let's not wait for the arrest of one of the IT professionals
from a leading ISP before we wake up.
Section 65 of ITA-2000 states as under.
Tampering with Computer Source Documents
Whoever knowingly or intentionally conceals, destroys or
alters or intentionally or knowingly causes another to conceal, destroy
or alter any computer source code used for a computer, computer programme,
computer system or computer network, when the computer source code is required
to be kept or maintained by law for the time being in force, shall be punishable
with imprisonment up to three years, or with fine which may extend up to
two lakh rupees, or with both.
Explanation -
For the purposes of this section, "Computer Source Code" means the
listing of programmes, Computer Commands, Design and layout and programme
analysis of computer resource in any form.
This section clearly lays down that the person responsible for maintaining
records generated in a Computer has a responsibility to keep the records
safe "when the computer source code is required to be kept or maintained
by law for the time being in force".
The term "Source Code" mentioned here covers inter-alia, all "Server
Logs" that record the happenings in a Computer system. Even though there may be some doubt as to
the applicability of the term "Source Code" to server log records, the context in which the term has been used
as well as the fact that the header information of a mail is a "Computer Command generated by the e-mail programme", and the server log record is a "list of such commands"
indicate that any such records will be covered under the definition.
One of the critical areas where the ISP s such as VSNL, Satyam, Dishnet
and others would be questioned is in regard to the "E-Mail" data. As from
October 17, 2000, every e-mail sent and received by any person in India
is an electronic record that can be produced as evidence in a court of
law.
Even though it is possible to produce a print copy of an e-mail as proof
of evidence, the better option would be to produce the "Message ID", the
"Arrival time of an incoming mail" or "Out time of an outgoing mail". The
time of entry and exit of the message is also relevant for determining
the contractual effect of the message.
Normally every ISP automatically captures the above data in their server
logs and if necessary it can be maintained in a backup. When called upon
by a Court to produce, this record can be produced by the ISPs. Just as
in the case of a "Registered Post" the post office can give evidence whether
a particular letter was sent/received or not sent/received, even though it cannot certify
the contents, the ISP can certify whether a message was sent/received or
not. This would be a very powerful secondary evidence of the message itself
even though the ISP cannot certify the contents.
At present the Government has not notified the "Time" upto which such
records are to be maintained. The European Home Office has proposed that
ISPs and other network operators retain data on telecommunications usage,
such as records of e-mail and Internet use, for seven years. This is an
important notification due from the Government of India in respect of ITA-2000. In the meantime, ISP s
will be required to keep the records for a "Reasonable Time".
Have the ISP 's realized this responsibility? Are they aware that
if what they consider as "Reasonable Time" is considered "Unreasonably
short", they may find themselves in jail for three years for "Knowingly
destroying" the evidence which may be required either by a law enforcement
authority for solving a crime or by a member of the public to prove a contractual
document?.
Considering the norms set by the European Home office as well as our
own norms in respect of Bankers Books Evidence Act, as well as the slow
judicial process in India, ISP s must be prepared to look at keeping the
records for a "Reasonable Time" of upto 7 years.
Simultaneously, ISP s must also be prepared to keep the records permanently
at the request of their customers, failing which they may be accused
of knowingly destroying the evidence.
Since we are only into the 8th month after the ITA-2000 becoming effective,
many of the ISP s may have the records still in tact. They must ensure
that they are not destroyed.
To remove doubts in this regard, the Ministry
of Information Technology will have to make a notification in this regard
immediately.
By publishing of this piece of article in the public domain,
the ISP s have now been put on notice and Courts in future may hold
that atleast from this day, the liability of ISP s
to maintain records for a reasonable period will crystallize. (I am making
notifying the major ISP s in this regard personally).
I am aware that the ISP will be shocked about this expectation as well
as the consequences of non compliance. Some of them will also say that
it is impractical since the data to be kept would be so huge that they
need several terra bytes of disk space to comply with the requirement.
As I have already discussed with some of the ISP s these are practical
problems that have commercial solutions. But the liability to maintain
the records is a prime duty and is fundamental to the legislation "Electronic
Documents Shall be Equal to the Paper Document". It will therefore be a
"Fundamental Right of a Netizen" to expect that ISP s do fulfill their
obligations to the society in this regard.
In order to clarify things and to determine different time periods for
storage of different types of data we actually need a law similar to the
Bankers Books Evidence Act. This law which may be called "Electronic
Documents Evidence Act" may not only prescribe what types of documents
are to be preserved and how long?, but also "how?" and "with what consequence?"
for non compliance. It can also state the procedure by which certified
copies of such documents may be produced in judicial proceedings.
Shall we expect some action from the MIT (Ministry of Information technology,
India) soon?
Naavi
May 25, 2001
Visit Cyber Law College.com which offers a Course on
Cyber Laws for ISP Managers
