Given the complexity of Cyber Laws as a piece of legislation it was no surprise that the Parliamentary standing committee took over six months to deliberate and return the Bill with recommendations. At the end of this long wait, the expectation that a vastly improved version of the Bill could be coming forth was sadly belied. After the two blatantly absurd clauses (Clause 73A and 73B Regarding Cyber Café activity and Domain name registration) that had sneaked into the Bill had been deleted, the Bill remained essentially same as the original draft. The changes suggested by the committee were mostly immaterial and had already been present in some form already. Perhaps the only significant change was to restrict the term of the Presiding officer of the Cyber Regulations Appellate Tribunal, to a maximum of 5 years. Just as the addition of the above two clauses (73A, 73B) showed the ignorance of the law framers, the retention of some of the other clauses that needed to be deleted has caused grave concern amongst Cyber Law specialists about the ability of our legislative wing. It is time that this deficiency is publicly debated so that we will not be silent spectators to the drafting of an important piece of legislation by a bunch of inexperienced officials. One of the major areas of deficiency in the
Bill that could hinder implementation are the provisions regarding the
Role and Function of the Certifying Authorities (CA) as well as the process
of issuing Digital Certificates as explained in detail below.
1.Licensing of Certifying Authorities: Considering the responsibilities that a CA has to discharge, the business of the CA s will involve a heavy investment in terms of infrastructure, manpower, and marketing. The licensing period therefore has to be long enough to make the business viable. If this is as short as say one year, no CA will be able to break even before his first license expires. He will then come up for assessment for the renewal application and judged based on his performance, which may not, be reflective of his potential. In the absence of transferability, he may even be restrained from upgrading his skills through a joint venture partner. In case the CA finds it uneconomical to run the business, he will even be prevented from handing over the business to another more efficient entity. In such an event, it would be the Netizens holding certificates issued by such a vacating CA who may suffer. It is therefore necessary that the initial
licensing period should be atleast 5 years and no restrictions be placed
on the transferability of the ownership of the company that is granted
the license. The Controller may however retain the right to review the
license if he feels that the changes may compromise the interest of the
customers of the erstwhile company.
In view of the enormous preparations required to set up the Certifying Authorities business, Indian CA s will take some time to come up with their services. Until such time, the market has to be supported by the Foreign Certifying authorities. Otherwise, even after the Act is finally in place, it cannot be implemented in the absence of the digital signature infrastructure. Sadly, the Bill has made the task of getting license by Foreign Certifying Agencies unnecessarily complicated and needs an immediate review. As per the Bill, Certificates will not be valid unless the issuing CA is approved by the Controller. For a Foreign CA to get the approval, he has to open a physical office in India where he has to display (!) the license (Sec 32). Before approving the foreign CA, the Controller has to obtain the permission of the Central Government and the fact should be notified in the gazette. Who ever drafted the above provision has not bothered to understand the ground realities. Firstly, there are already many users in India who have obtained individual or secured server digital certificates from foreign CA s such as Verisign. Now, if for argument sake, Verisign doesnot get the license as a CA from the Controller in India, the existing certificates issued by them will not be valid under the Indian law. Similarly, if an Indian who has obtained a certificate from a licensed CA has to enter into a contract with an Australian counterpart who has a certificate from an Australian CA, the contract may not be considered valid under the Indian Cyber Law unless the Australian CA also obtains license in India. Will all the CA s in every other country agree to open offices in India, apply for license, wait for the Government to approve and notify in the Gazette and display the Certificates in their Indian offices? The answer is a definite "Impossible". It is therefore appropriate if (as is prevailing in some other countries), the validity of Certificates from any CA already approved in other countries is automatically extended to India. 3.Individuals to submit Certification Practice Statement? If the provisions discussed above display only the ignorance of the lawmakers, the reading of Clause 35 leaves one wondering how such blunders can pass through many hands and become law. This section deals with issue of Digital certificates by the certifying authorities. Surprisingly clause 35.3 says…"Every Such application shall be accompanied by a certification practice statement…". Obviously, the clauses 35.2 and 35.3 have been borrowed from the clause meant for the processing of an application of a Certifying authority requesting a license to issue Digital certificates. The wording of 35.4 further indicates that this faux paus is not just a slip but a deliberate insertion in the belief that it is necessary. These clauses have to be deleted and modified appropriately. Na.Vijayashankar May 23, 2000 |