Let's Build a Responsible Cyber Society


Beware of a Renewed Attempt to Push ITA-2000 Amendments

.

 

This report in Times of India suggests that there is a renewed PR exercise to push through the proposed amendments to ITA-2000 as proposed last year. The proposed amendments have been thoroughly analysed on this site and suggested as "A  Conception to to protect one offender" which turned out to be a "Gross Dilution of the law in favour of Criminals". It is necessary to revisit some of the aspects of the proposed amendments to understand why it is "Criminal Friendly" and has to be scrapped. It may be reiterated that the proposed changes are "Ultra Vires" the Act and can be questioned on procedural grounds.

Now let us see some of the statements made in the article.

Statement 1. Airtel should be grateful that data-protection measures drafted last year by an expert committee are yet to be enacted. The telecom major would have otherwise been liable to pay damages up to Rs 1 crore to each of the top police officers and bureaucrats whose call data records were found to have been accessed by an imposter due to the company's lax security.

Statement 2. In its report submitted in August 2005, the committee headed by the then information technology secretary, Brijesh Kumar, drafted a provision saying:  "If any body corporate, that owns or handles sensitive personal data or information in a computer resource that it owns or operates, is found to have been negligent in implementing and maintaining reasonable security practices and procedures, it shall be liable to pay damages by way of compensation not exceeding Rs 1 crore to the person so affected." Had the government not been sitting on the Brijesh Kumar committee's report, each of the officers affected by the leakage that came to light in New Delhi on Tuesday would have had a statutory remedy, entitling him to claim whopping damages from Airtel for its negligence. Besides proposing such civil liability for data theft, the report defined a range of "computer related offences" liable to be tried in a criminal court and punished with imprisonment up to two years.

Statement 3.In fact, some of the proposed offences would have applied directly to the HSBC employee, Nadeem Kashmiri, who was arrested on Tuesday in Bangalore on the charge of colluding with fraudsters in the UK to divert funds from clients' accounts. According to the draft Bill, the accused is liable to be punished with imprisonment up to two years if he or she "Charges the services availed of by a person to the account of another person by tampering with or manipulating any computer resource;" "Provides any assistance to any person to facilitate access to a computer resource in contravention of the provisions of this Act." In the absence of specific data protection provisions, as available in countries like US and UK, Bangalore police is relying mainly on general provisions of the Indian Penal Code, which was enacted way back in 1860

It is clear from the tenor of the article penned in the name of  Mr Manoj Mitta, that the article accuses the Government of sitting on the recommendations which were meant to tighten the laws and could have helped in conviction/fixing liability in the case of the information leakage in Delhi and in the HSBC case.

In order to avoid any misunderstandings that may be generated from the report, I would like to place my views on each of the above comments. This may be read with the more detailed comments that are available in the document quoted at the end of this article.

 The provision quoted in Statement 2 above is a reproduction of the proposed Section 43(2) which is an addition to the present section 43. The terms "Sensitive Personal Data" and "Reasonable Security Practices" are not defined along with the proposed amendments and hence the recommendation is incomplete and is of no practical value.

Secondly, this provision has to be viewed with the existing provisions which it replaces both under Section 43 as well as under Section 79.

The current section 43 does state that

(Section 43) of ITA-2000 : If any person without permission of the owner or any other person who is incharge of a computer, computer system or computer network -

(a) accesses or secures access to such computer, computer system or computer network

(b) downloads, copies or extracts any data, computer data base or information  from such computer, computer system or computer network including information  or data held or stored in any removable storage medium;

(c)...

(d)..

(e)..

(f)..

(g) provides any assistance to any person to facilitate access to a computer,  computer system or computer network in contravention of the provisions of this  Act, rules or regulations made thereunder,

he shall be liable to pay damages by way of compensation not exceeding one crore rupees to the person so affected.

It is clear from the current Section 43, that if any person suffers a damage on account of a mere "access" of a computer "without the authority of the person in charge" or "copies, extracts data", then he is entitled to the compensation of upto Rs 1 crore. This provision is not limited to "the data handler being negligent or having not followed any reasonable security practice". Hence as far as the victim is concerned, the current section 43 provides more protection than the proposed section.

Supporters of the amendments will jump to the conclusion that this provision is "Unfair to the data handler or a data processor" since he is made liable without any limit on his "Due Diligence". This is incorrect since Section 43 is to be read with the section 79 which provides certain exemptions to the data handler or the data processor provided that he is not having knowledge of the contravention and that he has followed "Due Diligence". To be specific, let us see the exact provisions of this existing Section 79.

Section 79: For the removal of doubts, it is hereby declared that no person providing any service as a Network Service Provider shall be liable under this Act, rules or regulations made thereunder for any third party information or data made available by him if he proves that the offence or contravention was committed without his knowledge or that he had exercised all due diligence to prevent the commission of such offence or contravention.

Under this section "Network Service Provider" means an "Intermediary" who is defined as

""Intermediary" with respect to any particular electronic message means any  person who on behalf of another person receives, stores or transmits that message or provides any service with respect to that message;

Under the current provisions therefore, Airtel can claim to be an intermediary and if they prove that the contravention has been committed without their knowledge and they have exercised all "Due Diligence", they would not be held liable. In the instant case therefore the victims can claim damages on Airtel and Airtel has to produce evidence and satisfy the court that they should be protected under Section 79 since they had exercised "Due Diligence". The Court can determine with reference to the evidence produced whether the precautions taken by Airtel are sufficient to be called "Due Diligence".

Now we shall look at what the new amendments propose under Section 79.

Section 79 ( Proposed):

(1)An “Intermediary” shall not be liable under any law for the time being in force, for any third party information, data, or link made available by him, except when the intermediary has conspired or abetted in the commission of the unlawful act.

(2) The provisions of sub-section (1) shall apply in circumstances including but not limited to where

(a) Intermediary’s function is limited to giving access to a communication network over which information made available by third parties is transmitted or temporarily stored; or

(b) The intermediary: (i) does not initiate the transmission, (ii) does not select the receiver of the transmission, and (iii) does not select or modify the information contained in the transmission.

(3) The provisions of sub-section (1) shall not apply if, upon receiving actual knowledge of, or being notified by the Central Government or its agency that any information, data or link residing on a computer resource controlled by the intermediary is being used to commit the unlawful act, the intermediary fails expeditiously to remove or disable access to that material on that resource

Further the explanation continues to state : ‘Intermediary’ shall include, but not limited to, telecom service providers, network service providers, Internet service providers, web-hosting service providers, search engines  including on-line auction sites, online-market places, and Cyber Cafes

Under these provisions it is clear that Airtel would be doubly protected since

a) It is an intermediary without any doubt and is "not liable under any law". Note the use of the word "Any Law". This means that the protection under the amended ITA-2000 (If it becomes effective) protects Airtel from IPC as well as Indian telegraph Act.

b) In order to make Airtel liable, the victims need to prove that Airtel has conspired and abetted in the commission of the offence. Without second thought even I would state that no such allegation can be made on Airtel.

Hence Statement 1 made by the author of the article in Times of India is  boarne out of a wrong reading of the provisions of the propsoed amendments.

If the author thinks that the new provisions give better protection and Times of India Editor thinks this is true, perhaps they need to check their inference once again.  I believe that they have been taken for a ride by those who have planted this article.

The reason why such an anomaly exists in the proposed amendments is perhaps because of the reason that the "Amendments were Engineered by vested interests who wanted to protect some intermediaries caught by the Delhi Police in an earlier case and booked under both ITA-2000 and IPC". Without the change of legislation as suggested it woudl  not have been possible to protect the concerned individuals and hence the Brijesh Kumar Committee (called the "Expert Committee") was set up to suggest changes that could protect the concerned individuals.

Now for the statement 3 made by the author of the article stating that the HSBC fraudsters would not be punishable unless the amendments were made applicable. It is clear to any one who goes through the current Section 43 that the civil liabiltiy upto RS one crore for each of the victims is provided under the section. The amendments does not increase this protection.

The current provisions under Section 66 also apply to the HSBC case and makes every person involved including the foreign nationals punishable with imprisonment of upto 3 years. Bangalore Police has already filed an FIR on this ground (though the police have wrongly added Section 72 which is not applicable).

However it must be remembered that under the amendments proposed for Section 66, the person who has committed the offence will be liable only

If any person, dishonestly or fraudulently,  without permission of the owner or of any other person who is incharge of a computer resource provides any assistance to any person to facilitate access to a computer resource in contravention of the provisions of this Act, rules or regulations made thereunder;

In order to apply this section Police will have to prove "Dishonesty" and "Fraud" even before they charge Mr Nadeem Kashmiri. More over under the amendments, the punishment under the section is limited to 2 years and Police cannot consider the offence as "Cognizable" even by extending the CRPC provisions and arrest the person. They will have to first prove in the court that Nadeem had fraudulently assisted other fraudsters (Who are abroad) before arresting him. In fact Nadeem would have been the happiest person if the amendments had come into force. HSBC would have been the sufferer. This unimaginative proposal from the "Expert" committee makes one believe that the proposed amendments will make ITA-2000 "Criminal Friendly".

Now I would like the TOI Editor to give his comments on whether it would be right to consider that the article "Changes in IT Act would've cost Airtel" by Manoj Mitta which appeared today is in fact a planted story to push the amendments to ITA-2000 which is anti-industry, anti-consumer and pro-criminals.

[Please see the more detailed comments for further explanation on why I am forced to use such strong words]

Naavi

June 29,2006

Detailed Comments


For Structured Online Courses in Cyber laws, Visit Cyber Law College.com

 

Back To Naavi.org