Let's Build a Responsible Cyber Society

Visit
www.ceac.in

Visit
www.arbitration.in

ITA 2008 SWOT Analysis

 By

Naavi 

Information Technology Act 2000 (ITA 2000) became effective from October 17, 2000. After several years of experience, a major set of amendments were proposed in December 2006 with the introduction of the Information Technology Amendment Bill 2006 which was further amended, renamed and passed in the Parliament as  Information Technology Amendment Act 2008, on December 23 and 24. The Presidential assent was also given on February 5. The original Act ITA 2000 with the amendments is what we refer to today as ITA 2008. 

Section 1.(3) of the ITA 2008 stated that  

“It shall come into force on such date as the Central Government may, by notification, appoint and different dates may be appointed for different provisions of this Act and any reference in any such provision to the commencement of this Act shall be construed as a reference to the commencement of that provision” 

In view of the above, the notification of the date of effectiveness of different provisions is awaited. 

It is understood that the Ministry of Communications and Information Technology is in consultation with industry bodies and finalizing he draft rules. When this process is completed, the necessary notification may be made. 

This note consists of an overview of the proposed amendments to identify the Strenghts and Weaknesses of the proposals so that corrective action to the extent possible can be taken as may be required thorough the rules. 

A Section by Section comparison of the present Act (ITA 2000) and the modified act (ITA 2008) is available at http://www.naavi.org/naavi_comments_itaa/compare_2000-6-8/compare_2000-2008/index.htm . For immediate reference a table indicating the changes is enclosed as “Annexure I. 

Some of the positive features of the amendments which can be considered as the “Strengths of ITA 2008” that can be recognized are as follows. 

  1. Enabling non PKI based Authentication methods
  2. Increase of offence sections from 10 to 22 and Recognition of new Offences
  3. Removal of the Civil liabilities upper limit
  4. Introduction of Civil Courts into the system
  5. Adding of “Diminishing the Value of Information” under Sec 43
  6. Integration of Section 66 with Sec 43
  7. Introduction of e-auditing
  8. Introduction of Data Protection provisions
  9. Introduction of Government Digital Evidence Examiner
  10. Compounding and Cognizability clarified.
  11. CAT made a multi member body
  12. Apex Security agency nominated and given powers
  13. Responsibility for Retention of Data introduced
  14. Police at Inspector Level brought into the scheme

Weaknesses:  

  1. Responsibility of Controller of Certifying Authority as a Repository reduced
  2. Offences made “Bailable”
  3. Pre conditions- “Dishonesty” and “ Fraudulently” introduced for Sec 66
  4. Inclusion of “Browsing” and “Seeking” in Sec 67B
  5. Section on Video Voyerurism not properly structured

 Opportunities 

  1. Infrastructure for Security in Cyber Space
  2. New authentication technology can be introduced
  3. Investigation of Cyber Crime can be facilitated with regulation of Intermediaries

 Threats 

  1. Powers vested with the CERT-In amenable for abuse
  2. Powers of the Police amenable for abuse

 ANNEXURE I

Overview of the Changes

 (Comments by Naavi, October 2009)

Section

Change Proposed

Comments

1

 List of excluded documents removed from Section 1(4) and notified through First Schedule This is a procedural simplification. A notification is required for making any additions or deletions to the list now included in the First Schedule. 

2

2(d) modified, and  the term "Digital Signature" replaced with "Electronic Signature" in the Act.

 Necessary due to the introduction of the authentication system called "Electronic Signatures". Electronic signature by definition includes digital signatures.

 

Section 2(ha) added to define "Communication Device"

 Cellphones, PDAs etc are specifically brought under ITA 2000 though these were considered part of the definition of "Computer". The use of the term "any other device used to communicate, send or transmit" extends the definition to ATMs or Credit Card swiping devices etc.

 

In 2(j) "Computer Systems" and "Communication Devices", "Wire"  "Wireless"  added.

 Clarification  Welcome

 

In 2(k) "Communication Device" added

 -

 

2 (na) introduced to define the term "Cyber Cafe"

 Places where access to Internet is allowed to public is called "Cyber Cafe". Any other network where closed groups such as employees or students are allowed is not covered.

 

2(nb) introduced to define the term "Cyber Security"

 Definition includes physical security of devices as well as Information Security.

 

2(ta) and 2(tb)  introduces the term of "Electronic Signature" and "Electronic Signature Certificate"

 Definition includes Digital Signature and Digital Signature Certificate

 

2(ua) defines "Indian Computer Emergency Response Team"

 Provides a statutory base to the department.

 

2(v)-"Message" included in the definition of "Information"

 Clarification welcome

 

2(w) "Intermediary" defined

 Includes service providers etc. Initially "Body Corporates" as defined in Sec 43 had been omitted. This omission has now been removed.

3

No Change

No Comments

 

New Section 3 A introduced to define Electronic Signature

 This is an enabling provision to permit systems other than PKI based systems for authentication purpose. Second schedule of the Act is reserved for notifications made for new systems other than the Digital Signature already defined in the Act.

4,5

No Significant Change

No Comments

6

No Change

 -

 

New Section 6A introduced to enable delivery of services by private service providers

Welcome

7

No Change

No Comments

 

New Section 7A introduced to make audit of Electronic documents mandatory wherever the legacy physical records were subject to audit.

 It is a clarification and welcome. Huge responsibility is now cast on the Government to get its electronic records audited.

8,9

No Change

No Comments

10

No significant Change

No Comments

 

New Section 10 A specifies that contract formation is possible with offer and acceptance being in electronic form.

 This is stating the obvious. Redundant and could cause problems for transactions between October 17, 2000 and the new date of effect of this amendment. An explanation that this would not affect electronic contracts already entered into would have been in order.

11.12,13,14

No significant change

No Comments

15,16

Defines "Secured Electronic Signature" and redefines "Security Procedure"

No Comments

17,18,19

No significant change

No Comments

20

Section deleted

 The responsibility of the Controller to act as "Repository" has been removed. While the logic is that this should be the responsibility of the individual CA, the CCA has abdicated its responsibility for developing a trusted PKI infrastructure. This is an admission of the failure to provide a proper repository until now. The CAs also have not so far provided a satisfactory repository service and this will continue to be a lacuna in the system.

21

No significant change

No Comments

22, 23

The amount of specified upper limit on the  fees deleted.

Welcome

24,25,26,27

No significant change

No Comments

28,29

No change in 28. In Section 29, the powers have been restricted to contraventions under this chapter.

 Section 28 provides powers to the controller for contraventions under this "Act" while powers under Section 29 is available only for contraventions under this "Chapter". Appears to be an anomaly to be corrected since investigations may be required for contraventions under Chapter IX and Chapter XI

30

Consequential Changes with introduction of Electronic Signatures

No Commetns

31,32,33,34

No significant change

No Comments

35

Sub section (4) modified

 This change was due right from 2000 and was sought to be corrected by an administrative notification earlier. Better late than never.

36

Additional warranties indicated

 No Comments on the change. No CA appears to be adding this certificate as a narration within the body of the Digital Certificate. It is required as a mandatory statement to be sent by the CA to the subscriber and also a part of the CPS.

37, 38,39

No change

No Comments

40

No change in 40. New Section

No Comments

40 A

Introduced to cover Electronic signature

 

No Comments

41,42

No Change

No Comments

43

 Two new contraventions added-contraventions corresponding to Sections 65 and 66 added for civil liability.

compensation limit removed.

 The removal of limit for compensation is a significant change.

 43A

New Section  included for "Data Protection" need.-specifies liability for a body corporate handling sensitive data, introduces concept of "reasonable security practices" and sensitive personal data. No limit for compensation

 A significant provision to satisfy the "Data Protection" need. We need to watch out for definition of  "Reasonable Security Practices" and "sensitive personal information"

44,45

No significant change

No Comments

46

The powers of the Adjudicator limited for claims upto RS 5 crores. Civil Court's authority introduced for claims beyond Rs 5 crores

 Significant Change that brings Civil Courts below the High Court into the Cyber Related disputes for the first time.

47

No significant change

No Comments

48

Changes name of Cyber Regulations Appellate Tribunal to Cyber Appellate Tribunal.

No Comments

49

Name of Cyber Regulations Appellate Tribunal (CRAT) changed to Cyber Appellate Tribunal (CAT) is made a multi member entity. Provision for benches introduced, non judicial members can be members of the Tribunal.

 Excellent  move. Provides for more expertise for the Tribunal.

The appointment of the members other than the Chairperson requires consultation with the Chief Justice of India under sec 49 (2). This is with slight conflict with Section 50(2).

50

Specifies qualifications for appointment of Chairperson and Members of the CAT.

 Choice of members restricted to Government Officers. This may restrict the talent available.

51,52

Specifies terms and other conditions of appointment of Chairman and Members of CAT

No Comments

52A

52B

52C 

52D

New Sections introduced defining powers of the Chairperson of CAT for conduct of business.

No Comments

53,54,55,56

No significant change

No Comments

57.58,59,60

No Change

No Comments

61

Amended to accommodate jurisdiction of Civil Courts for disputes involving claims of over RS 5 crores.

No Comments

62

No Change

High Court remains the appeal Court for decisions of the Adjudicator though other Civil Courts will have jurisdiction for cases where the compensation claimed is RS 5crores plus

63

No Change

No Comments

64

No significant change

No Comments

65

No change

No Comments

66

The clause has been re written with significant changes. Applies to all 10 contraventions listed in Section 43. Fine increased to Rs 5 lakhs

The section applies only of the act is done "Dishonestly" or "Fraudulently"

 

New Sections added under 66A, 66B, 66 C,66D, 66E and 66 F to cover new offences.

Welcome move to clarify and expand  the scope of the Act

 66A

Sending offensive Messages

Applies to Grossly offensive or menacing  or false information.

Also covers Cyber Stalking and Phishing

66B 

Receiving a Stolen Computer Resource

Applies to purchase or trading or use of stolen computers or mobiles besides information.

 66C

Identity Theft

Applies to Password theft, theft of cryptographic key etc

 66D

 Cheating by personation

Applies to Phishing, Job Frauds etc

 66E

Violation of Privacy

Applies to Video Voyeurism

 66F

Cyber Terrorism

 Provides Life Sentence, though definition is not considered comprehensive.

67

Fine increased to Rs 5 lakhs for first instance and Rs 10 lakhs for subsequent instance. Imprisonment reduced to three years for first instance and 5 years for subsequent instance.

 Not considered significant.

 67A

New Section introduced to cover material containing "Sexually Explicit Act" Increased imprisonment and fine compared to Sec 67.

 This is a sub-set of Section 67 and compared to the existing Section 67, it does not represent any significant change.

 67B

New Section introduced to cover Child Pornography with stringent punishment. Imprisonment 5 or 7 years and fine RS 5 or 10 lakhs for first and subsequent instances respectively. Also covers "grooming" and self abuse

 Includes “Browsing”,”Seeking” as an offence which could be misapplied.

 67C

 This is a new section introduced requiring Intermediaries to preserve and retain certain records for a stated period

Excellent Provision. Period of retention needs to be notified.

68

Refers to the powers of the Controller to direct Certifying Authorities for compliance. No significant change. Penal powers to be applicable only on intentional violation

No Comments

69

Scope extended from decryption to interception, monitoring also. Control will be on a designated officer and not the Controller.

Welcome Provision

 69A

 New Section introduced to enable blocking of websites.

Welcome Provision

 69B

 New section that provides powers for monitoring and collecting traffic data etc

Welcome Provision

70

Critical Infrastructure System defined and section restricted to only such systems. Security practices to be notified

Welcome Provision

 70A

New Section added to define National Nodal Agency for Critical Information Infrastructure protection

Welcome Provision

70B

Indian Computer Emergency Response Team to be the nodal agency for incident response

Welcome Provision

71,72

No Change

 Scope of Sec 72 gets enhanced since more authorities can collect information under the Act after the amendments and hence they come under the provisions of this section.

 71A

 New Section introduced for Data Protection purpose

Welcome Provision

73,74,75,76

No change

No Comments

77

No Significant Change

No Comments

 77A

New Section introduced to provide for Compounding of offences with punishment upto 3 years.

Welcome Provision

 77B

New Section introduced to consider all offences with 3 years imprisonment under the Act as "Cognizable" and bailable

Welcome Provision

78

Power to investigate any cognizable offence vested with Inspectors instead of DSPs

Welcome.

79

Modified to slightly shift the onus of proving liability on the prosecution. Otherwise no significant change.

Welcome

 79A

 New Section introduced to provide for the Government to designate any government body as an Examiner of Electronic Evidence

Welcome

80

The powers earlier available to DSP is now made available to Inspectors

Welcome

81

Amended to keep the primacy of Copyright and Patent acts above ITA 2000

No Comments

81-A

No Change

No Comments

82

No Significant Change

No Comments

83,84

No Change

No Comments

 84A

 New Section introduced to enable the Government to prescribe encryption methods

Welcome

 84B

 New Section introduced to make "abetment" punishable as the offence itself

Welcome

 84C

New Section introduced to make an "attempt to commit an offence" punishable with half of the punishment meant for the offence.

Welcome

85, 86

No Change

No Comments

87

Consequential Changes made

No Comments

 88, 89

No Changes

No Comments

90

No significant change

No Comments

 91-94

Omitted

Schedule I and II covered by Sections 91 and 92 have been replaced. The status of the earlier amendments made to IPC under Schedule I and IEA under Schedule II are now unclear. Similarly the Changes made to BBEA and RBI Act under Sections 93 and 94 are also unclear. New modifications for IEA have now been introduced,

 

Naavi

October 8, 2009

 

[Comments Welcome]

 Comments are Welcome at naavi@vsnl.com


 

Visit
www.Naavi.net

Visit
www.lookalikes.in