Hurdles in Becoming a Certifying Agency
.

The essence of the ITA-2000 is the enablement of digital contracts through digital signatures. The Certifying  Authorities (CA) therefore will be the backbone of the Cyber Law infrastructure. If the laws are to be beneficial to the  commercial society, the CA s should be able to function properly. In spite of this importance, not sufficient care has been taken in drafting the Act or the Rules to make things easy and transparent for the CAs. It appears that this is being looked upon firstly as an area of serious concern as to the safety of the Netizens and secondly as a means of creating a new license raj.

As a point of concern, unnecessary regulation has been introduced in the Act itself to the extent that the Controller would effectively determine the business policies of the CA, with prescriptions which should normally be arrived at the corporate board rooms or the CEO s chamber. This refers to what products the CA can introduce, how much he would charge for them, how will he advertise them to the prospective customers, how will he deal with the customers and so on. It is unlikely that any other law in India is as intrusive as the ITA-2000 regarding the commercial aspects of business.

While we were expecting that these provisions along with some blunders that have been noticed in the Act would be corrected directly, when the Rules are announced, it is regrettable to note that some  more elements of confusion have been added in the rules. Some of these over rule the provisions of the Act itself raising the fundamental legal issue of whether the rules under an Act can change the provisions of the Act itself. This and some more aspects of the business of Certifying Authorities as envisaged in the Rules is discussed herein below.



Validity of the CA's license:

According the draft rules for ITA-2000, the license to carry on the business of the CA is valid for a period of one year and an application to renew has to be made no later than 3 months before the expiry of the license. 

This effectively means that the first license will be coming up for review within 9 months of issue. Considering that it may take atleast 3 months to set up a business as complicated as that of the CA, a business house will have hardly 6 months to work in peace before running upto the Controller's office. Considering the investments required for the setting up of the business and the time required to develop the staff and market the concept, most of the new CA's would not be able to perhaps issue even around 1000 certificates within the first license period. It may actually take 3 to 5 renewals before the business breaks even. Within this period they would be under the mercy of the Controller and dependent on getting the renewal to get back their investments.

This would create difficulty for CA aspirants from raising finance for the project. It is therefore necessary for the  initial licensing period to be increased to three years and subsequent renewals to be fixed for two years. Delinquents if any can always be controlled through the provision of suspension of license.

License Fee

The ITA-2000 had prescribed a ceiling of Rs 25,000 as license fees for Certifying authorities The rules however has increased it to Rs 150,000 under the following three heads.

1.Application fees Rs 100,000
2.License fee after application is approved Rs 25,000
3.License fee for the number of years the license is valid Rs 25,000 (for one year)

This raises a fundamental issue whether the rules under an Act can actually change the provisions of the Act itself.

Insurance against Loss

The rules has prescribed that every certifying authority has to insure himself against liability for loss of not less than rupees one crore for each claim arising out of any error or omission on the part of the applicant, its officers or employees.

While the need for the insurance cannot be debated, the defining of a pre-determined amount of Rs 1 crore was not necessary. The international practice amongst the Certifying agencies is to issue different classes of certificates with different "Reliance limits". The insurance needs would therefore depend on the product portfolio of each of the companies and by fixing an arbitrary limit of Rs 1 crore, the cost may be rendered prohibitive.

A cumulative effect of all the above factors is that it would be financially very difficult to make the Certifying Authority business a viable business proposition as a stand alone project keeping the cost of digital certificates low. In view of the importance of the role of the Certifying Authorities in giving effect to the Cyber laws, it is necessary to make changes that make  Digital certificates affordable to the common Netizen.
 

I urge NASSCOM and all the right thinking persons to get the proposed rules scraped so that a re-look can be ordered. It doesn't matter even if the implementation of the Act is delayed due to this. What we should remember is that ITA-2000 is a fundamental law that will define the rules of the digital society. We cannot allow the golden opportunity of creating a good law for the digital society be frittered away.

 P.S: A copy of the Rules is available on the site of the Ministry of Information and Technology

Naavi 

August 18,2000

BACK

.