We all knew that the field of Cyber Laws was complex. While the Act was being drafted, the Government had no proper guidance either from the Legal community nor the IT community. The reason was that no lawyer can understand the provisions of the Bill without some understanding of technology. Unfortunately most lawyers even if they are eminent otherwise have no knowledge of IT enough to guide the Government. The IT specialists we know of are mainly software engineers and don’t have a clue of what "Law" means. Their guidance was also therefore insufficient to help the law makers. The long gestation for the IT Bill was therefore understandable. However, after such a long wait, we had not bargained for a piece of legislation that is not equipped to handle even the basic purpose for which it was passed, namely "Enabling valid Contracts using Digital signatures on an Electronic Document". Let us briefly explore the provisions of the Act which concern the
Digital Signatures to understand the seriousness of the mistakes that have
crept into the Act as passed by the august Parliament.
Considering the responsibilities that a CA has to discharge, the business of the CA s will involve a heavy investment in terms of infrastructure, manpower, and marketing. The licensing period therefore has to be long enough to make the business viable. If this is as short as say one year, no CA will be able to break even before his first license expires. He will then come up for assessment for the renewal application and judged based on his performance which may not be reflective of his potential. In the absence of transferability, he may even be restrained from upgrading his skills through a joint venture partner. In case the CA finds it uneconomical to run the business, he will even be prevented from handing over the business to another more efficient entity. In such an event it would be the Netizens who hold certificates issued by such a vacating CA who would be affected. It is therefore necessary that the initial licensing period should
be atleast 5 years and no restrictions be placed on the transferability
of the ownership of the company that is granted the license. The Controller
may however retain the right to review the license if he feels that the
changes may compromise the interest of the customers of the earstwhile
company.
In view of the enormous preparations required to set up the Certifying Authorities business, Indian CA s will take some time to come up with their services. Until such time, the market has to be supported by the Foreign Certifying authorities. Otherwise even after the Act is finally in place, it cannot be implemented in the absence of the digital signature infrastructure. Sadly, the Bill has made the task of getting license by Foreign Certifying Agencies unnecessarily complicated and needs an immediate review. As per the Bill, Certificates will not be valid unless the issuing CA is approved by the Controller. For a Foreign CA to get the approval, he has to open a physical office in India where he has to display (!) the license (Sec 32). Before approving the foreign CA, the Controller has to obtain the permission of the Central Government and the fact should be notified in the gazette. Who ever drafted the above provision has not bothered to understand the ground realities. Firstly, there are already many users in India who have obtained individual or secured server digital certificates from foreign CA s such as Verisign. Now, if for argument sake, Verisign doesnot get the license as a CA from the Controller in India, the existing certificates issued by them will not be valid under the Indian law. Similarly, if an Indian who has obtained a certificate from a licensed CA has to enter into a contract with an Australian counterpart who has a certificate from an Australian CA, the contract may not be considered valid under the Indian Cyber Law unless the Australian CA also obtains license in India. It is impossible to expect that all the CA s in every other country agree to open offices in India, apply for license, wait for the Government to approve and notify in the Gazette and display the Certificates in their Indian offices. It is therefore appropriate if (as is prevailing in some other countries),
the validity of Certificates from any CA already approved in other countries
is automatically extended to India.
If the provisions discussed above display only the ignorance of the law makers, the reading of Clause 35 leaves one wondering how such blunders can pass through many hands and become law. This section deals with issue of Digital certificates by the certifying authorities. Surprisingly clause 35.3 says…"Every Such application shall be accompanied by a certification practice statement…". Obviously, the clauses 35.2 and 35.3 have been borrowed from the
clause meant for the processing of an application of a Certifying authority
requesting for a license to issue Digital certificates. The wording of
35.4 further indicates that this faux paus is not just a slip but a deliberate
insertion in the belief that it is necessary.
If such is the expertise of the lawmakers, one shudders to think what is in store for us when the rules under the act are drafted. If the situation is not to go out of hand, the Ministry of Information and Technology has to immediately constitute a task force consisting of experts in the field to assist them in the drafting of the rules. Na.Vijayashankar 26 th May 2000 |