Pakistan took an important step in the Cyber Space
regulation on
September 11, 2002, by promulgating the Electronic Security Ordinance 2002 (ESO
2002) similar to the Information Technology Act 2000 of India.
The objective of the ordinance is to promote E-Commerce in
Pakistan. According to the press briefing made by Dr Attaur Rehman, the
Minister of Science and Technology, e-commerce
in Pakistan has been growing at a phenomenal pace from $43 billion in 1998 and
is expected to grow to over $2000 billion by the year 2003. It is estimated
that about 10 per cent of all business-to-business transactions would be
carried out electronically by the year 2004. He opined that the ordinance is
an essential prerequisite for e-commerce growth and would have great economic
impact in the years to come.
ESO-2002 is essentially a
legislation that provides legal recognition for Electronic documents and
Electronic Signature and sets up the necessary legal framework for the working
of the Electronic Signature system.
ESO-2002 follows the UNCITRAL Model Law for
E-Commerce and improves upon the approach of ITA-2000 in some respects.
One of the important areas where the ESO-2002 differs from
ITA-2000 is in the constitution of the apex office for regulating the
Electronic Signature System (Referred to as the Digital Signature System in
ITA-2000).
The Controller's Office as per ITA-2000
In India, the apex institution for Digital Signature
Management is the Controller of Certifying Authorities who is the Licensing
authority for Certifying Authorities authorized to issue Digital Signature
Certificates to the users. He is also the repository for the Digital Signature
Certificates issued.
The Controller has also been vested with certain
quasi-judicial powers mainly for the purpose of controlling the operations of
the Certifying authorities and for the purpose of interception and decryption
of electronic messages in the interest of the nation.
The Indian office of the Controller consists of an
individual who is assisted by the Deputy Controller and Assistant Controller
as may be found necessary. The Controller participates in the
larger policy modifications as a member of the Cyber Regulations Advisory
Committee.
However, the Controller is ultimately an officer of the
Government and is not an independent statutory authority like the Cyber
Appellate Tribunal.
Pakistani Approach-The Certification Council
In Contrast, the apex Electronic Signature System Management authority
as per the ESO is a multi member "Electronic Certification Accreditation
Council". It would be a body corporate (Similar to the Telecom
Regulatory Authority of India and the proposed Communication Convergence
Commission).
The Council would comprise five members, with four members
being drawn from the private sector. One of the members would be designated as the
Chairman. The term of appointment would be three years.
It is interesting to note that there are strict
qualification parameters fixed for the members of the council.
For example, of
the five members, one shall be a telecommunication engineer with at least 7
years of experience of which one year is in the field of Cryptographic
services.
Two of the members shall be professionals or academics with
at least
7 years of work experience in the field of Information Technology, and one
should have an administrative background with at least seven years of
experience in a private or public organization.
Another member shall be an advocate with at least seven
years experience and adequate knowledge of laws relating to information
technology and telecommunications.
Thus the constitution of the Council ensures availability
of techno-legal as well as administrative experience.
It may be noted that the Controller in India has at his own
initiative developed a sub committee under him referred to as the "IT ACT
Policy Advisory Group" (Of which Naavi is one of the members). This has drawn
members from the private sector and the legal community and provides some
guidance from time to time to the Controller. This is a good beginning which
perhaps could be further strengthened with a frequent interaction of the
group with the controller.
Additionally, the Cyber Regulation Advisory Committee has
some representation from industry bodies such as the CII, ASSOCHAM, FICCI,
ISPAI and Nasscom to provide the inputs from the private sector. It is not
clear however whether the ex-officio members of these organizations with
multiple responsibilities of their own can effectively contribute to the
improvement of the regulations.
The Pakistani approach perhaps brings different functional
experts directly into the functioning of the Council with a term of three
years and may perhaps prove to be more effective.
Providing a Revenue Stream for the Certification Council
It is also interesting to observe that a revenue stream for
funding the council has been provided for in the form of a fees of upto Rs
10/- for every certificate deposited in the repository, besides the
accreditation fees or fines collected from the Certificate Service Providers.
This is a good revenue source directly related to the growth in the business
of Electronic Signature Certification in the Country.
In the Indian context, the Controller is dependent on the
Ministry for meeting the expenses. The License fees is a miniscule income
generated and the provision of "Fines" for violations by Certifying
Authorities is not a desirable source of revenue. As a
result, the office of the Controller is an expenditure center for the ministry
and this is likely to limit the technological upgradation needs of the
department in the long run.
Developmental Functions:
Yet another point to be observed is that the functions
assigned to The Certification Council of Pakistan includes carrying out research and
studies in relation to cryptography services and to obtain public opinion in
connection therewith and also give advice to any person in relation to any
matter covered under the ordinance.
Thus it is envisaged that the Certification Council is
not only a body to regulate the electronic signature system but also could
develop into an apex research and consultancy institute to the Cryptography and
related Industry.
This forethought and developmental vision in the
constitution of the apex regulatory agency is one of the significant factors
of the legislation that must be appreciated.
In contrast, the Indian legislation limits the scope of the
Controller's office to merely "Regulation" and does not extend to even
essential spin off functions such as "Research".
Take Off:
The ESO-2002 of Pakistan does give some useful ideas on how
we can improve our own office of the Controller of Certifying Authorities.
