Let's Build a Responsible Cyber Society

 

Misconceptions on ITA-2000 Amendments..Continue

A few days back, we had brought to the notice of the public, an article in Times of India which had tried to build a case for the early passage of the proposed amendments arguing that it would benefit the handling of Cyber Crimes. We had at that time pointed out that this was a misconception and the proposed amended act will actually dilute the current act.

Now an article has appeared in Indian Express which expresses similar sentiments. The article does state that the final amendments proposed by the Ministry may be different from the recommendations made by the "Expert Committee". However certain statements made and conclusions drawn in the article suggest that the author is referring to the infamous "Expert Committee Report" only and not to any further amendments. It is therefore necessary to point out the fallacies in the argument lest it would strengthen the vested interests who are trying to push for the "Expert Committee" suggestions.

Some of the comments made in the article is reproduced here for specific comments..

Comment1 : Even as a fourth major information 'theft' crisis stares at the Indian Information Technology industry, the Information Technology Act, 2001, is waiting for government to clear amendments that will specifically define higher penalties and punishment for cyber swindles.

It is true that the amendments suggest higher "Penalties" in terms of rupees. But it also recommends significant "Reduction in punishments" for all offences making it easy for criminals to get away. It also introduces "Compounding" for criminal offences at an executive level which makes a mockery of  the punishments. It also introduces impossible pre-conditions for prosecution of any offences and withdraws powers from the Police rendering the law enforcement mechanism weak.

Let us look at the sections where the penalties and punishments have been changed.

Section
(present) (proposed)
Penalty
(present)
Penalty
(proposed)
Punishment
(present)
Punishment (proposed) Comments
43 (2) proposed

Nil (objective of this section could be considered as already covered under Sec 43 (old) itself

Rs 1 crore Nil Nil This is a new subsection added. Our view on the same is given later in this article.
Section 66 2 lakhs 2 lakhs in some cases and 5 lakhs in others 3 years 1 year in certain cases and 2 years in other cases Application of Section 66 made mandatory to proving of "Dishonesty" and "Fraud"

Refer for a detailed discussion on this section here.

Section 67 1 lakh 5 lakhs

"Child pornography" introduced as a separate category with Rs 10 lakh fine.

5 years 1 year

"Child pornography" introduced as a separate category with 3 year imprisonment

Intermediaries exempted from liability.

Refer for a detailed discussion on this section here.

Section 69 - - 7 years 7 years Section now not applicable for "Prevention of Cognizable offences"
Section 71 1 lakh 1 lakh 2 years 2 years "Intention" made mandatory for application of the section.
Section 72 1 lakh

Rs 25 lakhs under new subsections (2) and (3)

5 lakh 2 years 2 years Complaints under Sec 72 (new) are only admissible at the Magistrate's court and not at Police Stations.

Liability of data disclosure of an intermediary limited by need to prove "Intention to cause injury"

Definition of "Private Part of the Body" subject to misuse.

Refer for a detailed discussion on this section here.

Section 79 - - - - Conspiracy and abetment mandatory of invoke the liability of the intermediary

Refer for a detailed discussion on this section here.

Section 85 - - - - Connivance mandatory to invoke the liability of a company or its executives.

Comment 2: A panel of experts had, in August 2005, suggested introducing a fresh clause in the IT Act that would allow compensation of up to Rs 1 crore to someone whose information is not protected by reasonably maintained and implemented security practices.

This refers to the addition of a sub section 43 (2). views on the above are as follows.

Views on 43 (2):

Section 43 (2) is a new subsection introduced in the amendments. The earlier section 43 is retained as 43 (1). Section 43 (2) states as follows.

(2) If any body corporate, that owns or handles sensitive personal data or information in a computer resource that it owns or operates, is found to have been negligent in implementing and maintaining reasonable security practices and procedures, it shall be liable to pay damages by way of compensation not exceeding Rs. 1 crore to the person so affected.

Explanation.- For the purposes of this section,-

(oi) “body corporate” means any company and includes a firm or other association of individuals engaged in commercial or professional activities.

v) “Reasonable security practices and procedures” means, in the absence of a contract between the parties or any special law for this purpose, such security practices and procedures as appropriate to the nature of the information to protect that information from unauthorized access, damage, use, modification, disclosure or impairment, as may be prescribed by the Central Government in consultation with the self-regulatory bodies of the industry, if any.

(vi) “Sensitive personal data or information” means such personal information, which is prescribed as “sensitive” by the Central Government in consultation with the self-regulatory bodies of the industry, if any.

This section suggests that a duty is imposed on a "Body Corporate" that owns and handles sensitive personal data "Not to be Negligent" and "to implement reasonable security practice"..failing which there is a liability to pay damages to the extent of one crore.

The question is "Does this addition alter the current position substantially"? or "is only a clarification"?.

In the earlier version of Section 43, any person who suffers a loss could claim damage upto one crore from any person who "Accesses" "or downloads or copies data from" a computer system "without the authority of the owner of the computer". In this version the victim had to only prove that "there was no permission". Now to invoke a similar protection under 43 (2), the victim has to prove "negligence" and "Not following reasonable security practices" (what is reasonable security practice and sensitive personal information has to be defined).

One can argue that the earlier section placed the liability only on the offender and the new section places the liability on the owner of the computer. This aspect as a means of clarification is welcome.

However under the previous version, "Corporate Liability" and "Network Service Provider's Liability" was defined under sections 85 and 79 under which the "Company" in which the breach of data security had taken place would not only be liable in financial terms but also would be liable for criminal prosecution both on the Company and its Key Executives/Directors. Of course here the Company could escape liability if it had proved "Lack of Knowledge of the contravention" and "Due Diligence" in respect of its operations. Here "Due Diligence" would have been driven by industry practices and "Circumstances of the case" where as the new section pegs the due diligence to the "reasonable security practice" which will be a check list given by the Government. The current concept of "Due Diligence" sets a "Moving target" for security based on technological developments while the new provisions pegs it on an "Administrative check list" which is bound to be static and obsolete. Further the current "Due Diligence" can be flexible enough to prescribe different security standards based on the criticality of operations and type of IT establishment, the "Check list based approach" may impose one standard on every type of user and situation which may be dysfunctional.

Yet another important aspect to be remembered is that the amendments propose to change even Section 79 and make it almost impossible for the victim to hold the intermediary responsible for security breach.

The existing section 79 states : "For the removal of doubts, it is hereby declared that no person providing any service as a network service provider shall be liable under this Act, rules or regulations made thereunder for any third party information or data made available by him if he proves that the offence or contravention was committed without his knowledge or that he had exercised all due diligence to prevent the commission of such offence or contravention."

On the other hand the new section 79 states:  " An “Intermediary” shall not be liable under any law for the time being in force, for any third party information, data, or link made available by him, except when the intermediary has conspired or abetted in the commission of the unlawful act."

The existing Section 85 states interalia: "..Provided that nothing contained in this sub-section shall render any such person liable to punishment if he proves   that the contravention took place without his knowledge   or that he exercised all due diligence to prevent such contravention"

The new section 85 states: .."Provided that nothing contained in this sub-section shall render any such person liable to punishment unless it is proved that the contravention took place without his knowledge and connivance  and that he failed to prevent such contravention." 

It may also be observed that under new section 72, the following provision has been added: "Save as otherwise provided under this Act, if any intermediary who by virtue of any subscriber availing his services has secured access to any material or other information relating to such subscriber, discloses such information or material to any other person, without the consent of such subscriber and with intent to cause injury to him, such intermediary shall be liable to pay damages by way of compensation not exceeding Rs. 25 lakhs to the subscriber so affected"..

....Note that under  this section, the intermediary is liable only if he discloses such information "With intent to cause injury" to the subscriber...

Perusal of the above clearly indicates that the proposed changes does not add to any protection presently available to a victim of data loss. It only dilutes the protection already available.

Comment 3:

Other amendments include changing Section 66 of the IT Act to include imprisonment for up to one year or a Rs 2 lakh fine for hacking, were proposed at a time when the IT industry was grappling with the most sensational arrest of Baazee.com CEO Avnish Bajaj. Major changes have been proposed to this section, also so that it can account for the march of technology towards 'phishing', and 'skype-ing'

The current provision is fully capable of addressing any form of "Diminution in the value of information residing inside a computer resource". The new provisions restrict the operation of Section 66.

More detailed discussion is available  here.

Comment 4:

More importantly, the changes suggested by the expert panel sought to modify what many experts say is India's usually weak response to the breach of data protection and general cyber-security norms in India. "Within the backdrop of a spate of incidents of alleged security breach in BPO companies over the last two years, this (amendment of IT Act) looks like an essential task -- and the only way in which the government can help,'' a sector expert said. The amended IT Act is expected to broaden the ambit of computer crimes offences beyond just hacking, so that all those responsible for security of a system would be accountable.

This is incorrect. The current provisions under Section 66 and 43 impose adequate criminal and civil liabilities on every type of Cyber Crime that can be envisaged.    This covers "Identity Theft", "Data Theft" etc which are relevant for BPOs. The new provisions does not add to these and actually reduce the deterrent effect of the penal provisions now existing.

The proposed amendments if not substantially modified will therefore be a fraud on the digital society in India. The worst suffers would be IT Companies and Women.

Journalists need to understand the implications of the amendments before hailing the amendments based on the views of persons with vested interests. In this process, they are becoming pawns in the hands of these interests and would be responsible for the fraud on the community if the proposed amendments follow the expert committee's recommendations.

Naavi

October 4, 2006

Related Articles:

Naavi.org: Beware of a Renewed Attempt to Push ITA-2000 Amendments

IE: Meanwhile, IT Act changes for data safety on hold

TOI: Changes in IT Act would've cost Airtel

Complete Comments on the Amendments

(comments welcome)