Let's Build a Responsible Cyber Society


 

Making Life Easy For Criminals

 under

ITAA(p)-2005  ...a law for the privileged, by the privileged and to protect the privileged.

 

Under ITA-2000, Sections 65, 66, 67 and 70 were the principle clauses that defined some offences punishable under the Act. Section 85 as well as 79 determined Corporate responsibility for crimes.

ITAA(p)-2005 (We shall use this abbreviation for the amended act proposed by the "Expert Committee") has made significant changes to Sections 66 and 67 as well as Sections 85 and 79. 

The Committee which was expected to introduce punishments for some offences like Spamming, Cyber Stalking, Cyber Squatting, Cyber Terrorism etc chose to ignore these burning issues. Its attempt on Data Protection has also been faulty. 

The Cyber Crime Police Stations that have been set up at different parts of the Country in the wake of increasing Cyber Crimes may now become weak and irrelevant.

Judiciary has been further weakened. Now it is not only in the case of Civil cases that Courts will not have a say (Except on appeal at High Court level, but even the Magistrate Courts can be ousted by an executive letter.

The net effect of these changes has been to make life easy for criminals. As a result of these changes, many crimes will not get recognized, investigations will be frustrated and convictions will be rare.  ...Naavi


The current ITA-2000 was enacted basically to remove the hurdles for e-Commerce development. The principle objective was to give legal recognition to transactions on the digital space. Incidentally it was felt that current criminal laws may not be sufficient to address the issues of Cyber Space and hence a few clauses were introduced under Chapter XI to address specific offences in Cyber Space. Simultaneously, Section 43 in Chapter IX addressed the needs of a victim of a Cyber Crime to be compensated for the damages suffered. Leaving the offences related to Digital Signatures and the System of Certifying Authorities associated with it, the main clauses under which criminal offences were dealt with were Sections 65,66,67 and 70.

Out of the above, Section 66 is one of the critical clauses of ITA-2000 and the one which provided the greatest protection from Cyber Crimes to the Digital Society. The earlier drafting had made a slight error in giving a name to Section 66 offence, calling it as "Hacking" which had created some confusion amongst computer users. The reason was that the term "Hacking" had earlier been associated with the activity of  "Evaluating the vulnerabilities in the security of a network". Hacking therefore referred to an attempt to enter a network without authority and test the security barriers. Hackers were not the people who had intention to cause damage or commit a crime. Their intention was only to demonstrate that they can enter a network breaking the security barriers. Those hackers who had a bad intention were called "Crackers". It is for this reason that the Internet is replete with "hacker clubs" which are not considered illegal associations.

If we leave aside the perception problems associated with the general meaning associated with the term "hacking" in the net community, the earlier Section 66 was an excellent omnibus definition of offences against "Information Residing Inside a Computer". It is worthwhile recalling this section which states as follows.

66. Hacking with computer system

(1) Whoever with the intent to cause or knowing that he is likely to cause wrongful loss or damage to the public or any person destroys or deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means, commits hacking.

(2) Whoever commits hacking shall be punished with imprisonment up to three years, or with fine which may extend up to two lakh rupees, or with both.

As can be derived from the above, the section gave recognition to a any act which resulted in "Affecting information residing in a computer injuriously". Diminution of value as it happens when a confidential information is shared with unauthorized persons was also covered providing the much talked about "Data Security".

It could be observed that the section did not limit to damage caused by "Entering the Network unauthorized". It could cover damage by "Any Means" indicating that even a physical damage could be covered.

What was required for making this section stick against a person as an offence was either "Intention" or "Knowledge".

ie, If a person knew that his action may cause damage, deletion, reduction in value or injury to information residing inside a Computer, and any of these things do happen, then the Section 66 offence is recognized with 3 years imprisonment liability.

This section therefore provided one of the highest protections for data residing inside a computer.

It is unfortunate that the "Expert Committee" has not understood the power of this section and now moved to make amendments which actually dilute the data protection aspects that were available in the section.

Now let us see what the amendment has proposed.

66 Computer related offenses: 

a)  If any person, dishonestly or fraudulently,  without permission of the owner or of any other person who is incharge of a computer resource

(i) accesses or secures access to such computer resource;

(ii) downloads, copies or extracts any data, computer data base or information from such computer resource including information or data held or stored in any removable storage medium;

(iii)  denies or causes the denial of access to any person authorised to access any computer resource;

he shall be punishable with imprisonment upto one year or a fine which may extend up to two lacs or with both; 

(b) If any person, dishonestly or fraudulently,  without permission of the owner or of any other person who is incharge of a computer resource

(i) introduces or causes to be introduced any computer contaminant or computer virus into any computer resource;

(ii)disrupts or causes disruption or impairment of electronic resource;

(iii) charges the services availed of by a person to the account of another person by tampering with or manipulating any computer resource;

(iv) provides any assistance to any person to facilitate access to a computer resource in contravention of the provisions of this Act, rules or regulations made thereunder;

(v) damages or causes to be damaged any computer resource, date, (Ed: May be a typographic error for data), computer database, or other programmes residing in such computer resource;

he shall be punishable with imprisonment upto two years or a fine which may extend up to five lacs or with both;

 Explanation: For the purposes of this section-

 a. ‘Dishonestly’ – Whoever does anything with the intention of causing wrongful gain to one person, wrongful loss or harm to another person, is said to do this thing dishonestly”.

b. ‘Fraudulently’ – A person is said to do a thing fraudulently if he does that thing with intent to defraud but not otherwise.

c. “Without the permission of the owner” shall include access to information that exceeds the level of authorized permission to access.

It can be observed from the above that the committee has removed the name "hacking" associated with the section, which is fine. But the committee has diluted the earlier provision which could invoke the section for "Injury" to information by "any means" with "Knowledge" or "Intention" with several restrictions.

Now this section can be invoked only if the following three conditions are satisfied.

a) Action should have been committed dishonestly or

b) Action should have been committed fraudulently or

c) Action should have been committed without authority

Secondly, while the scope of the section is limited to

a) Access

b) Downloading, copying or extraction of data

c) Introduction of Virus or Computer contaminant

d) Denial of Service

e) Causing disruption of service

f) Charging service availed to another person

g) Providing assistance to another person to contravene

h) Damaging the computer resource, data ( Ed: Date as indicated in the section is presumed to be a typographic error)

The actions listed here in as offences are the same for which civil liabilities are prescribed in Section 43. However, it has escaped the collective wisdom of the "Expert Committee" that the words in the earlier section such as "Diminution in value and injuriously affecting information" already covered all these aspects and many more.

Also, by making dishonest and fraudulent intentions prerequisites for the offence committed by an authorized person (remember most cyber crimes are committed by authorized employees), the scope of the section has been significantly restricted.

It is funny that the earlier section called it as "hacking" and covered a whole gamut of Cyber Crimes while the amendment calls it as "Offences relating to Computer" and restricts the coverage to "Unauthorized Access".

The attempted amendment to Section 66 betrays the lack of perspective knowledge of the expert committee and will continue to haunt the Ministry officials which was part of the process. It is strange that with people like Dr Vishwanathan available for consultancy, the Ministry deliberately kept him out of the committee and ended up making mistakes of the kind mentioned above. Dr Vishwanathan who was deeply involved in the drafting of the earlier version was fully aware of even the mistakes committed and not using his expertise can only be interpreted as an attempt to keep out those who would not have gone with the objectives that guided the amendment effort.

Additionally, since the period of imprisonment has been brought down from 3 years to two years, Police will not be able to even consider it a "Cognizable Offence" under CrPc (Even if such a possibility existed). Hence Police will find it difficult to proceed with investigations in cases of "Hacking". This coupled with the compounding provisions which make it easy for any criminal to escape with a financial loss makes it very easy for criminals to escape punishment.

Having discussed the changes made in Section 66, it is necessary to add a few words to the discussion on "Composition" in case of criminal offences provided in the amendments where the adjudicator or the controller has been given the powers even when a case is under a Court. (This was already discussed in yesterday's article).

It must be stated here that the concept of "Composition of Criminal Offences" is relevant when "Innocent" persons "Without intention to commit a crime" cause loss to the society and come under similar actions which could be done intentionally. Such innocent persons who may plead guilty and show remorse need to be provided an exit route without being imprisoned. One classical example is say damage caused through a road accident. Many times the driver who causes death to an accident victim feels guilty himself and undergoes remorse. Composition is relevant for such cases. In the earlier definition of Section 66 offence there was a possibility of a person committing the offence without intention. Hence Composition was relevant.

In the new definition, composition is less relevant since a person who dishonestly or fraudulently commits hacking need not be given the benefit of composition.

Naavi

September 1, 2005

Copy of the Amendments