Why US PATRIOT Act is required in India?
The Indian National Cyber Security Forum (INCSF) in its first formal
meeting on 6th December 2008 at Bangalore advocated that what India now
needs as a counter cyber terrorism response in terms of legal structure
reform is an Indian PATRIOT act and a mere addition of a "Cyber Terrorism"
clause in ITA 2000 amendments is not sufficient. I would like to elaborate
on the reasons why this suggestion is being made by INCSF.... Naavi
Background:
The amendments to ITA 2000 has been in contemplation since Around January
2005 when an "Expert Committee" was formed for the purpose in the aftermath
of the arrest of the then baazee.com CEO under Section 67 of ITA 2000.
Without understanding the concept of "Due Diligence", many industry
stalwarts at that time were made to think that there was a serious flaw in
ITA 2000 which needs to be amended immediately. When the amendments were
recommended in August 2005, concerned observers were horrified to see that
it was simply an exercise to bail out baazee.com at the expense of diluting
the law through various means. Naavi's concerns were captured in a
series
of articles published at that time and again another set of articles
published in 2006. (See
details here).
Fortunately the amendments which were cleared by the Cabinet Committee as
the ITA 2000 amendment Bill was referred to a Parliamentary Standing
Committee headed by Sri Nikhil Kumar which submitted a
report by October 2007 severely criticizing the provisions. The Bill
was sent back for revision to the MCIT which has now brought the bill back
to the Parliament to be presented in the next few days.
One of the observations made by the Standing Committee was that the
amendments had not focussed on issues such as penalizing "Cyber Terrorism".
Now that the public expectation is on better legislation to meet terrorist
threats, there are demands for legislation to address countering "Cyber
Terrorism". The GOI which has steadfastly refused to bring in POTA or
similar legislation for addressing "Terrorism" may hold out the amendments
to ITA 2000 as its specific response to counter terrorism in general and
Cyber Terrorism in particular. Already noises are being made about the
provision being made on "Cyber Terrorism".
There is no doubt that there will be one clause on defining "Cyber
Terrorism" and suggesting an imprisonment of say upto 10 years in the
forthcoming amendments.
The INCSF has a genuine concern that going by the general trend of the
amendments to reduce punishments for Section 66 and to make dishonesty and
fraud pre conditional to invocation of Section 66, as well as dilution
of Section 79 to remove the "Due Diligence" requirement for intermediaries,
the amendments may turn out to be only a half hearted
attempt to counter Cyber terrorism. It is therefore felt that we need to
address the issue of increased powers to the Police for arrest without
warrant and a more liberal provision for "Admissibility of Evidence" than
what is provided in Section 65B of Indian Evidence Act.
It is in this context that INCSF has advocated that we need a comprehensive
legislation similar to the US PATRIOT Act which addresses several
dimensions of the requirements to tackle the problem of Cyber terrorism.
What is PATRIOT Act?
The full name of the act is itself very revealing of its intentions and we
need to note the same. US PATRIOT Act stands for "Uniting and Strengthening
America by Providing Appropriate Tools Required to Intercept and Obstruct
Terrorism" Act.
The Act has 10 different titles covering the following areas.
TITLE I--ENHANCING DOMESTIC SECURITY AGAINST TERRORISM
TITLE II--ENHANCED SURVEILLANCE PROCEDURES
TITLE III--INTERNATIONAL MONEY LAUNDERING ABATEMENT AND ANTI-TERRORIST
FINANCING ACT OF 2001
TITLE
IV--PROTECTING THE BORDER
TITLE V--REMOVING OBSTACLES TO INVESTIGATING
TERRORISM
TITLE VI--PROVIDING FOR VICTIMS OF
TERRORISM, PUBLIC SAFETY OFFICERS, AND THEIR FAMILIES
TITLE VII--INCREASED INFORMATION SHARING FOR
CRITICAL INFRASTRUCTURE PROTECTION
TITLE VIII--STRENGTHENING THE CRIMINAL LAWS
AGAINST TERRORISM
TITLE IX--IMPROVED INTELLIGENCE
TITLE X--MISCELLANEOUS
A detailed study of the Act is outside the scope of this article. But what
is required to be noted is that this Act is much more comprehensive than
the POTA act which we in India are thinking as the ultimate legislative
protection against Terrorism. While the GOI is hesitant for introducing
even the POTA equivalent legislation, the Government may not be considering
a legislation of the type of USPATRIOT Act.
However, INCSF would like to highlight what is required at least for
addressing the requirements regarding Cyber Terrorism Act. In a way what we
can press for as the "Indian Cyber Space Protection Act" which draws ideas
from the US PATRIOT Act.
Some Key Provisions to be Considered
Definition of Cyber Terrorism
One of the first provisions which we need to fix is "Defining Cyber
Terrorism". We donot know what the amended ITA 2000 is contemplating as the
definition of "Cyber Terrorism". We may however discuss what are the
options available.
FBI in USA has defined Cyber Terrorism as : " Any premeditated, politically
motivated attack against information, computer systems, computer programs
and data which results in violence against non-combatant targets by
sub-national groups or clandestine agents".
One of the problems that can be identified with this definition is that it
restricts the definition to "Politically motivated". India faces a
terrorism which may be more "Religious motivated" and not "Politically
motivated". The definition is also dependent on the definition of the
term "Violence". In the Cyber Terrorism context, the term needs to be
explained to include violence on "Virtual Properties".
US National Infrastructure Protection Center defines "Cyber Terrorism" as "
A criminal act perpetrated by the use of computers and telecommunication
capabilities, resulting in violence, destruction and/or disruption of
services, to create fear by causing confusion and uncertainty within a
given population with the goal of influencing a government or population to
conform to particular political, social or ideological agenda.
This definition is better than the FBI definition since it extends the
definition to social or ideological agenda.
Even this definition however ignores the need to define "Cyber Terrorism"
to include "Propaganda, technical assistance for hosting, Phishing,
Spamming etc". May be the US PATRIOT Act may cover this in other provisions
under the Act since it is a comprehensive legislation which includes other
provisions (Discussed later in the series of subsequent articles).
If we depend on amendments to ITA 2000 to do everything for Cyber
terrorism, then the definition becomes very important.
One suggested definition could be as follows:
Cyber Terrorism means:
using a Computer, Mobile or any or any associated device or an
Electronic Document
to intimidate or coerce the Government, its civilian population, or
any segment thereof, of India or its friendly countries
to create disharmony in the Indian society or the society of any of
the friendly countries
to create destabilization of the economy or any segment there of
either on the physical space or cyber space in India or in any of the
friendly countries
in furtherance of political, religious or social objectives or to
harm the community injuriously by any means,
or any attempt thereof, or providing any assistance thereof.
Explanation: " Friendly countries" under this section means those
countries declared as "Friendly countries for the purpose of this act"
through a gazette notification and with whom India has a mutual Cyber
Terrorism Resistance Treaty.
This definition does not include "Violence in Physical Space" because,
causing Violence in Physical space through electronic device is already
covered under the IPC and other physical space laws. It is expected that
countries such as Pakistan would not be declared as "Friendly Country". In
the event any ethical hacker group carries out any attack on the unfriendly
country's cyber resources, it would not be considered as an offence under
this provision. (It is however envisaged that a proper regulatory system
would be set in motion to ensure that people would not take law into their
own hands which will be discussed elsewhere in this series of articles)
Powers of Police
Additionally, Section 80 of ITA 2000 (which the Expert Committee wanted to
be deleted) should include a special provision to say that in case of a
suspected Cyber terrorist Act, the Police may arrest without warrant and
conduct search and seizure in any place (not restricted to public place).
Similarly, Section 65 B of Indian Evidence Act should clarify that in
respect of evidence against a Cyber Terrorism Act, a certificate by an
authorized official of an ISP (including foreign ISP) even without a
certified print copy may also be admissible as evidence. Additionally,
witnesses testifying over video conferencing mode should also be made
admissible. It should also be ensured that Intermediaries should not
have any exemption under Section 79.
At the same time in order to ensure that there is no misuse of the powers
by the police, Cyber Terrorism cases may be investigated by only a police
officer of the rank of a SP and suitable documentation and reporting to
higher authorities is introduced on the actions taken by the Police such as
classification of a reported offence as "Cyber Terrorism", as well as
arrest made, seizures effected, notices served and response received from
intermediaries etc.
(To Be continued)
Naavi
December 9, 2008
Related Article:
Outrage Expressed at bazee.com CEO arrest
Dont'
Raise the bogey.."Law is Wrong"
IT Act Amendments and Cyber Terrorism
5 Key Steps to Cyber Security
Unified
approach key to National Cyber security
How Do We Define “Cyber Terrorism”.. Bloggersnews.net
