|
A FEW SUGGESTIONS
for the Draft Proposal, IT Act 2000
Ministry of Information and Broadcasting
Govt. of India
Hello Netizen. Another feather has been added to India's IT cap - The IT Act. The Indian govt has done it again. As if Pokhran wasn't bold enough :-). Cyberlaw changes the way Internet influences a common man's net life. While in the physical world, we identify what we're doing by our actions, being watched by others. In virtual world, however, there may not be anyone watching our actions. It becomes the responsibility of the user to understand the difference between the right and the wrong. Wrong deeds, even if inadvertent, may subject the user to face penalties and punishments equal to (if not more) the punishments of crime in the real world.
On one hand, we're talking of wired cities and e-governance, while on the other hand we're specifying ways to create loopholes. If implemented properly with sincere, hardworking individuals as the driving force, Cyberlaw can help netizens have best out of the internet and related technologies, including e-governance. What remains to be seen is whether the Cyberlaw in India brings in cheers or sorrows to the netizen community. Let's all pledge to take a small step each and build and example for the world to form a responsible and productive net community.
Here are a few suggestions for the Ministry of Information Technology to ponder upon and incorporate, if deemed fit for the same.
Before getting into the other technical aspects of the IT Act 2000, it would be, in my humble opinion, appropriate to mention here that PRIVACY is a main concern worldwide. Major software and IT companies are losing battles on privacy infringment grounds, as privacy is every individuals right on this planet. Indian culture is vast and holds maybe more than the collective contents of the rest of the world. Still, privacy of every individual should be the prime concern. All law should be based on this and issues like banning of porn and violent sources etc. should be left on the user to decide what is best for him. All browsing software today are capable of prohibiting or disallowing content as per one's settings and we need not interfere between the source of the web content, the user, his family and his bedroom.
Now to the contents of the IT Act 2000:
First of all, I would like to draw attention towards the proposed Educational Qualification
and Experience for Controller
Reference: Para 3(b)(i) to (iii)
Details: A degree + MBA with 10 or 15 years experience means a person aged around 35-40
years. As we all know, Computers and IT is a relatively new field, about a decade of penetration into normal
peoples' lives. With the inception of digital technology and computer systems, the electronics and
Telecommunication industry has also undergone major changes in these years. A person with the above qualifications might
be a case of "unfit" candidate for the proposed post. The qualification would have been allright had we
been considering the standard job requirement for any other govt. post but computers is a fast moving field
and there should be some relaxation in the experience.
Workaround: There is seldom a day when we don't get to hear a school going kid or a
teenager achieving a reputation in the IT Arena. It is a known fact that the IT industry is being driven by "brains" and
not by "bodies", which implies that alternatively,
the capability of a controller, or any other recruitment
concerning IT decision-making, should be tested on the basis of IQ and mental
aptitude. Educational qualification and experience should be a secondary concern and the ability of the controller should be tested on the
mental grounds.
Context: Access request
Reference: Annexure II, 4.2(4)
Details: If each user is allocated a user-id and the user id is a privileged one, there is no need
for permission to use system resources.
Workaround: not required, maybe deleted
Context: Account
management -->User responsibilities
Reference: Annexure II, 4.4-4.6 and in general
Details: Upon termination of the user, the responsibility of the account should be with his/her
heirs, or other family members. In some cases, the users might have had to pay for an account. In that case, no
one would like to lose the remaining time upon termination of the account.
Workaround: Annexure II, 6.0(3) and other similar references should be changed to "Users and
in case of absence of the user, their heirs or family members shall be responsible....."
Context: Absence of user
Reference: All of Annexure II
Details: in case an account remains inactive, for a particular time, it will be suspended (Annex
II, para 4.5(2)). However, what if a user goes abroad for a month or so? In all references of "user" , the
user's family members and heirs should be included so that the sense of responsibility comes to the family as
a whole.
Workaround: The term "user" should be defined to include his family member, heirs.... etc.
(exact law language maybe used).
Context: Digital Signature by International authorities
Reference: "Digital Signature" in the whole document
Details: In the whole act document, the Digital Signature mentions Digital Signatures issued by
the proposed certifying authorities. There is no mention of the existing Digital Signatures issued by
international issuing authorities. It is also not mentioned whether the signatures issued by the existing international
authorities like Verisign and Thawte(again a Verisign company) etc., shall remain "legal" in the Indian IT
Act 2000.
Workaround: The Act should identify some top-notch International agencies in the field of
authentication and accept them as "valid" certifying authorities, and the existing signatures issued by them as
valid Digital Signatures. The jurisdiction of the law governing the "dispute" part of the contract done under
these signatures maybe mentioned as that of Indian Courts, with prior collaboration with the international
certifying authority such as Verisign.
Context: Payment for Digital Signatures
Reference: General
Details: In the vast IT Act, there is no mention of the fee payable by the end user to the
certifying authority for the obtained digital signatures. It seems that we have left that part to be catered later on as
and when the whole thing materialises. Would it not be appropriate to mention the fee, at least the maximum
limit, so that the poor, innocent end-user is not harrased by the certifying authorities later? It would also
help making the practice of issuing digital signatures corruption free, since there would be no fight over
"larger slice".
Workaround: The MIT should specify the maximum amount to be paid for a digital signature.
It should be priced nominally keeping in mind the average income of an Indian. It would be a revolution if
the signatures are provided free of cost. The investment made by the certifying authorities in obtaining
the license etc. maybe returned in some other way such as providing them with access to high-speed
network. They may use it as an ISP and get compensated for the money spent on licensing.
Context: Use of electronic Evidence in crime investigation
Reference: General
Details: The world is getting "bitsier-and-bytier" each day. Millions of people have started using
the digital and electronic medium for day-to-day use. Crime Scenario is no different. High profile criminals as
well as underworld dons are known to have used hi-tech gadgets and digital equipment to achieve the target.
Is it needed to mention here the communication medium used in the infamous cricket match-fixing case?
Not really, but the practical thing is, we're not going to stumble upon such evidence every time. We need to
make changes so as to incorporate the new sources such as e-mails, chat room discussions, web pages,
file attachments etc. Besides these, electronic documents retrieved from digital media should also be
accepted as electronic evidence.
Workaround: Changes may need to be made in the existing law to accept electronic documents
as evidence. It is further proposed to setup an
"Electronic Evidence Study Center"
that would be responsible for collection and processing all electronic evidences and track down any hacking attempts and
establishing the identity of the suspects in other IT related cases.
Context: Punishment to defaulters
Reference: General, based on IT Security Procedure and Guidelines (annexure II)
Details: IT act is here, just about to be implemented. Once in action, it will have its effects all over
the law and order machinery. What would happen if someone is found guilty of not conforming to the law?
There is adequate security mention in annexure II and proper guidelines seem to have been presented.
However, what is missing is the action to be taken if someone is found guilty of the offence such as trespassing in to
a system. There is a mention of the `lovebug' menace in the first para of the annexure. To add to the same,
it is necessary to mention here that the author of the "I Love You" virus is free since as per the
Philippines police, "there is no cyberlaw to nab the culprits of a computer crime". A lesson for the world, including
india, which has a huge IT potential. The volume computer crime attempts is directly proportional to this
potential. So a solution at the very root level would ensure smoother operation.
Workaround: a) It should be mentioned in the law that International sources (of cybercrime) shall
be liable for prosecution under the Indian laws.
b) users must be informed that they shall be responsible for their doings/deeds
online and if found guilty or tracked down, may face charges and punishment.
c) Actions such as spamming and cyber-stalking, should be defined as illegal and
the source of the same when tracked down should be made liable to be punished.
~~~~ End of Document ~~~~
|