This memorandum
is being submitted in response to the invitation of the Ministry of Information
Technology (MIT) made to the public with specific reference to the draft
of the intended Rules to be notified under the Information Technology Act
2000 (ITA-2000).
The Information Technology Act-2000
(ITA-2000) is the first exclusive legal framework envisaged by the Indian
Government for the emerging Digital Society. The Act will therefore pave
the way for future guidance of the Cyber Society and Cyber Commerce. It
will be the backbone for the Indian dream of becoming an IT superpower
on the Global arena. In view of this immense importance of this legislation,
it is necessary that the legislation has wide acceptance of society and
doesnot become an unwelcome imposition. The suggestions made herein have
been drafted taking into account this need along with the compulsions
of the Government in developing regulations to prevent occurrence of Cyber
crimes.
1. Constitution of Cyber Regulations
Advisory Committee:
The ITA-2000 had envisaged (Sec
88) that the Government would set up a Cyber Regulations Advisory Committee
(CRAC) consisting inter-alia of members from the public to advise the Government
and the Controller on all aspects of regulations. This was the key aspect
of the regulations that could provide the services of industry experts
in framing and administering the complications of the "Technology Law"
As per the proposed ITA-2000 rules,
the CRAC would consist mainly of secretaries of various ministries, the
Controller besides some of the representatives of trade and industry bodies.
The committee would be chaired by the Minister of Information Technology.
It is submitted that this constitution
is not conducive to the development of a useful advisory body and there
is a need to change the constitution as suggested herein.
The CRAC, as envisaged in the Act
is only an advisory body and can only submit its recommendations to the
Ministry. Hence, the Ministry can review any of the suggestions in a body
similar to what has now been constituted as the CRAC. This will be an internal
review committee of the Ministry.
On the other hand, if the CRAC consists
of eminent personalities from the industry, the wealth of experience and
expertise available in the market place can be available to the benefit
of the Cyber society. Keeping this in view, the CRAC should be Chaired
by an eminent Security Consultant or a Retired Supreme Court Judge and
should consist of members from the Netizen community and the Dot.Com industry.
Adequate representation from the Legal profession, Law Universities, Sociologists,
Criminologists and Technical Journalists should also be considered.
Ideal candidates for this purpose
are unlikely to be the working Secretaries (Barring individual exceptions)
or the Presidents/Secretaries of trade bodies of CII, FICCI etc.
In order to identify such
candidates from the vast community of Netizens, a selection process similar
to the "ICANN Election model" can be adopted. Under this model, a set of
representatives will be short-listed based on nominations received. A community
of registered voters who are given digital identities would
vote in a pre-determined time span to choose the popular nominations. New
elections can be held every year with the condition that no person is eligible
to be a member continuously for more than two terms. Such a body would
be truly representative of the Public interests, and give enough scope
for different persons to serve in the Committee out of love for the assigned
responsibilities. The compulsory retirement after two years would ensure
that no vested interest could be developed by any member. Over a
couple of years millions of Netizens would participate in the election
process and make the CRAC a "Democratic Parliament for the Cyber Society".
2. Regulating the Certifying
Authorities:
Certifying Authorities would be
important intermediaries in the process of developing Digital Identity
which is the pre-requisite for E-Commerce as well as the development of
a "Responsible Cyber Society". The Act should therefore encourage private
enterprise in bringing this service to the masses at an affordable cost.
In order to ensure this, regulations should restrict the regulatory measures
to prescribing the minimum security standards.
The Act as well as the Rules envisage
that the "Controller" would exercise enormous administrative control on
the functioning of the Certifying Authorities (CA). For example,
the Controller would determine the product features to be offered
by the CA s, their pricing, marketing mix, and the manner in which
the customer relations are to be handled. Additionally, the Controller
would also control the Financial, Technical and HRD aspects of business.
This kind of power is wholly unnecessary and not administrable. Such powers
can only be exercised selectively and will soon turn out to be tools in
the hands of corrupt officials for harassment. Even if the Government ensures
that the Controller is above board, it will be impossible to prevent his
subordinate officers at various levels misusing the powers.
It is therefore suggested that
The powers of the Controller
are restricted to initial licensing and prescription of a model Certification
Practice Statement that incorporates the minimum standards of governning
the Certification process. The powers to prescribe the features of the
Certificates, pricing etc should be left to the discretion of the CA.
This will enable the CA s to
introduce innovative products at affordable prices and quick spreading
of the concept of "Digital Identity".
3.Licensing Period for Certifying
Authorities:
In view of the enormous costs of
setting up the Certification business, the initial licensing period
of one year is too short to develop a viable business proposition for any
Certifying Authority. In order to encourage quality stand alone Certifying
Authorities to come up, it is suggested that
The Initial period of licensing
of the CA is increased to 3 years and subsequent renewal period increased
to two years.
4.Foreign Certifying Authorities:
The Act presently prescribes
that Certificates issued a Foreign Certifying Authority would be valid
under Indian law only if the CA is licensed by the Controller. This is
fraught with the risk that Certificates issued and to be issued by
a large number of CA s in foreign countries would be not recognizable by
the Indian Courts in a Cyber Contract case. As a result, the user of such
a certificate would escape legal liabilities to the detriment of the other
contracting party who might have used a recognized Certificate.
In order to avoid complications,
it is therefore suggested that
Any CA who has been licensed
by a root certifying authority of a foreign country listed in the
schedule (to be specified) will be considered as "Provisionally approved"
to the extent that certificates issued by them would not be held invalid
in a Case where any of the parties is an Indian Citizen or is using a Digital
certificate issued by a CA licensed by the Controller.
5. Eligibility to be a Certifying Authority
According to the draft Rule 7 (ii),
an applicant for Certifying Authority must be a "Company" operating in
India with foreign equity not more than 49 % of the total equity. This
restriction is not envisaged in the Act according to which any "person"
can apply for a licence.
The Rules need to be amended
to allow individuals and Foreign Certifying Authorities to also apply
6.Licensing Fees:
The Act prescribes a ceiling amount
of Rs 25,000 as the fees to be paid by a Certifying Authority applicant.
The Rules however prescribe an examination fee of Rs 100,000, applciation
fee of Rs 25,000 and a license fee of Rs 25,000 per annum.
This anomaly needs to be
removed.
7. Renewal of Licence of a Certifying
Authority:
According to the Act, the licence
of a Certifying Authority is renewable by an application made not less
than forty five days before its expiry.
However according to draft Rule
9 (ii) the renewal application has to be made atleast 3 months before the
expiry of the licence.
This is beyond the scope
of the Act and need to be deleted.
8. Office of the Adjudicating
Officer:
The role of the Adjudicating officer
(AO) has been an area of confusion in the Act and the accompanying Rules.
Firstly, the jurisdiction of the
AO has been restricted to contravention of the Act as defined under Ch
9 of the Act which provides a right to the affected person to claim compensation.
The "Offences" indicated under Ch 11 are outside the jurisdiction of the
AO.
Secondly, the Rules state that the
AO would be appointed by the Government on an adhoc basis. This indicates
that an aggrieved party has to apply to the Government requesting
them to order an enquiry. However no procedure has been prescribed for
such purpose. It is not clear whether an aggrieved person has to go to
a Police station to file an FIR, or approach a Court or appeal to the Ministry
of Inforamtion Technology or to the Controller
Through this process the AO has
been reduced to an adhoc enquiry officer to be appointed by the Government
from time to time and not a statutory authority to whom the Citizens can
approach for redressal of any grievance.
The spirit of the Act was definitely
not this. By instituting the office of the AO and the CRAT (Cyber Regulations
Appellate Tribunal), the Act implied that there would be a parallel system
of addressing the needs of the Cyber Disputes bypassing the normal system
upto the level of the High Court. This was also useful in ensuring that
specially trained persons can be appointed for handling the Cyber Disputes.
The Rules are therefore contrary
to the spirit of the Act and it is suggested as follows.
The Act should first be
suitably amended to remove the distinction between Ch 9 and Ch 11 crimes.
The sections in the two chapters should be merged into a single chapter
and AO should have jurisdiction to try all those violations. Whether
the state wants to charge a penalty or provide for compensation for an
affected member of public, there should be one common system of Dispute
resolution. This should start with the AO who should receive complaints
directly from the affected persons. He should then proceed to conduct an
enquiry summoning the help of the Police if required for investigation.
He should then proceed to provide his award which may consist of
Compensation to the affected, fine to be paid to the State and imprisonment
if he deems fit. His award can then be appealed against at the CRAT and
the CRAT's judgement can be appealed against in the High Court.
If this amendment is not brought
about, there appears to be no need to have a permanent post of CRAT. This
is because the major part of CRAT's work happens to be hearing appeals
on AO s awards. The references if any from the Controller would mainly
be of administrative nature involving the Certifying Authorities and the
need for CRAT to settle legal issues in such cases is minimal. Since the
normal Courts are neither equipped to handle Cyber cases, nor have the
time to do so, the entire system of Cyber Disputes would be thrown off
gear if the amendments as proposed are not effected.
Presuming that the above suggestion
is accepted, it is necessary to also provide that
The AO can conduct an enquiry
through an online process where the complainant and the defendant along
with the AO interact on a secured communication channel with appropriate
digital identities. (This will be a forerunner to the E-Courts to be set
up in due course)
9. Balancing of the Penalties:
In order for the society to respect
law, it is necessary that the penalties proposed should be commensurate
with the offences. The Act fails in this respect by providing disproportionate
levels of punishment to various offences. For example for the first commission
of an offence of "Publishing or Distribution of Obscene material", the
offender can be jailed for a term of 5 years. On the other hand a person
who commits a Credit Card fraud can only be asked to compensate the loss
suffered by the Card owner. Even for this, he has to go through the process
of seeking justice through the Indian judicial system such as the Civil
Court. Going by the standards of the Civil Courts in India, it will be
years before the case can come up for hearing and in the meantime it is
the complainant who has to keep attending the Court, and organise for the
defendant to brought to the Court with a warrant if required. Even
after a judgement is given in his favour he has to get a decree executed
to recover his amount. All this simply means that the judicial system proposed
under the Act is not available to any Citizen. Moreover, any order passed
under Section 43 of the IT Act would only be a "Paper order" as there are
no provisions in the Act for its enforcement.
On the otherhand , for simple administrative
lapses such as when a Certifying Authority fails to submit a "Return"
in time, the Controller can impose a heavy fine, invoke the enquiry of
the AO who is at the beck and call of the MIT and proceed to recover the
penalties like "Land arrears".
The Act in the present form is
meant only to serve the interests of the Government and in no way meant
for the welfare of the public.
It is therefore suggested that
The schedule of penalties
is revised to bring about a relation between the gravity of the offence
and the proposed punishment. As suggested earlier, the provisions of Ch
9 and Ch 11 should be combined and there should be a uniform scale of punishment.
Imprisonment should be resorted only to the case of deliberate and
orchestrated crime on the Cyber society whether it is "Cyber Fraud" or
"Cyber Terrorism" or "Cyber Gherao" etc. Punishment for obscenity should
be mainly in the form of a fine unless an attempt to corrupt the society
at large is proved. It is further suggested that the order for payment
of compensation passed under Section 43 of the Act be treated as a "decree"
to enable its enforcement through the Civil process.
10. Role for Legal and Non Legal Professionals:
The proposed rules under the Act
shuts off the office of the Controller for members of the legal fraternity
since the qualifications mandated are Engineering or a Ph.D in Physics.
Simultaneously, under the provisions of the Act, individuals are barred
from seeking representation by non legal persons in any proceedings before
the AO or the CRAT. (This is available for Companies). In order to provide
equal opportunities to legal and non legal professionals for all the official
and professional positions, it is suggested that
The choice of the Controller
would be made by the CRAC (constituted as suggested in this note) taking
into account the experience , qualification and contribution in the professional
field.
The complainant or the defendant
would have the freedom to engage one or more persons not exceeding three
to represent him before the AO or the CRAT irrespective of whether
they are legal practitioners or not.
11. The Judicial Process:
The AO and CRAT may require
technical assistance during the process of conducting an enquiry or hearing
an appeal. In order to provide such assistance systematically, it is suggested
that
the CRAT should be made
a three member committee with atleast two of them sitting through any proceedings.
One of them must be a technical person. The Chief officer may be a legal
person with judicial experience as is now envisaged.
In the case of an enquiry before
the AO, the enquiry may be held before an expert committee consisting of
three members of public with relevant experience chosen from a panel.
The committee should file a report in confidence on every enquiry which
is refered to by the CRAT only in the event of an appeal being preferred.
The report may record the views of the committee on whether all aspects
of relevance were considered by the AO before arriving at an award.
12. Definition of Hacking:
The definition of "Hacking" under
Ch 11 is unnecessary and can cause unintended conflict with the definition
of "Unauthorised Access" under Ch 9. The definition as provided may affect
actions that may legitimately be undertaken for "Cyber Patrolling"
and "White Hacking". as the onus of proving that there was no "intention
to cause damage" would be on the accused.
It is therefore suggested that
The definition of "Hacking"
under Sec 66 being redundant and dysfunctional should be deleted.
Simultaneously the provisions of Ch 11 and Ch 9 to be merged into a single
list of "Contraventions that attract penalty,Compendation or punishment
of any kind under the Act"
13. Definition of Tampering
with Computer Source Documents:
The definition of "Tampering with
Computer Source Documents" under sec 65 only covers the records to be maintained
by law (Which itself has not been indicated). In order to protect the interest
of the Software companies from malicious acts of their employees, it is
suggested that
Tampering of Source Codes
by employees of a software company in a manner inconsistent with the rights
accorded to them for the purpose of discharging their functions should
also be recognized as an "Offence" punishable in law (much as destruction
of a property belonging to the employer is punishable) . Simultaneously
the records to be maintained by law have to be specified for clarity.
14.Miscellaneous Provisions
regarding Digital Certificates:
It is suggested that
Sec 35 (3) and 35
(2) of the Act which wrongly prescribes Certification Practice Statement
as a mandatory document to be provided by an applicant and determines the
pricing of the Certificates should be deleted. Consequential changes should
also be made to 35 (4)
Sec 32 regarding "Display of License
by a Certifying Authority" should be deleted.
Sec 25 regarding the Power of the
Controller should be restricted to suspension of the license to the Certifying
Authority. Revocation power should be excercised by a higher committee
of the MIT.
Sec 27 regarding the delegation
of power by the Controller to his subordinates should exclude the power
of suspension and revocation of license of a Certifying Authority.
These changes are suggested
since the subject powers are unnecessary and are capable of being abused.
15. Status of Officials as Deemed
Public Servants.
According to Sec 82 of the Act all
the officials of the CRAT will be deemed to be Public Servants under section
21 of the Indian Penal Code. It is not clear whether the definition is
sufficient to bring the officials under the provisions of the Prevention
of Corruption Act. The immunity provided under Sec 84 for "Acts sone in
good faith" provides further protection to these officials which are injurious
to the development of a healthy and corruption free system.
It is therefore suggested that
The Controller, AO, the
CRAT and all officials working under them should be deemed as "Public
Servants under the Prevention of Corruption Act" and subject to the supervision
of the CVC.
Sec 84 providing immunity against
legal action against the Controller and other officials should be deleted.
Action in this regard should lie by way of an appeal to the High Court.
16. Compounding of Contraventions:
Section 63 of the Act refers to
Compounding of Contraventions under the Chapter 10. Since there are no
contraventions under Chapter 10 that are capable of being compounded, it
is suggested that
"Chapter 11" is substituted
for "Chapter 10" in section 63
Summary:
It is evident that the changes required
to be made to the Act and the Rules are many and far reaching. It is therefore
suggested that all action on this front is suspended until a CRAC is constituted
as suggested consisting of eminent persons which can go through with all
the other suggestions made herein.
|