Let's Build a Responsible Cyber Society


Comments of Naavi on the Amendments Proposed to ITA-2000

(Version 3)

P.S: These are the preliminary comments of Naavi. May be expanded later

A Law By the Privileged, For the Privileged and to Protect the Privileged !

It is difficult to say if the amended ITA-2000, namely the Information Technology Amendment Act (Proposed)-2005,  [ITAA(P) 2005] is a joke or a serious attempt to make a law by the privileged, for the privileged and to protect the privileged.

Many of the provisions defy logic and raise serious doubts on the core objective for which the amendment exercise has been initiated. An attempt has been made to present the implications of the amendments through a series of articles so that public can respond with their comments.

Hopefully we can send a consolidated strong response to the Ministry of Communication Information Technology highlighting the inadequacies of the provisions. 

 

Section Change Proposed Comments
1

Section 1(4) list of excluded documents removed. To be notified through Gazette

Procedural simplification. Could help subsequent changes to be made through notifications. An immediate notification concurrent with the passage of the ITAA-2005 required to list the documents hitherto excluded.

2

2(d) removed, and consequential changes made due to the replacement of the "Digital Signature" with "Electronic Signature" in the Act

Necessary due to the introduction of the umbrella authentication system called "Electronic Signatures"

  In 2(j) "Computer Systems" added.

Clarification  perhaps redundant

  In 2(i) "Wireless" added

Clarification welcome though perhaps redundant

  2 (nn) introduced to define the term "Cyber Cafe"

Places where access to Electronic Forms are allowed to public is called "Cyber Cafe". Any other network where closed groups such as employees or students are allowed is not covered.

Any "Kiosk" even in a Government department or Airport, Bus stand or Railway Station where "Access to Electronic Form to Public" may be defined as "Cyber Cafe". Since this refers to any "Electronic Form", a place where public is given access to digital music is also a "Cyber Cafe".

Consequent to this definition, the definition of "Cyber Cafe" in state legislations become redundant and needs to be scrapped.

  2(t) introduces the term of "Electronic Signature" which is inclusive of the term "Digital Signature" and points to Section 5 for further definition  
  2 (zaa) defines the term "person" Clarification welcome
3,4,5 The earlier Chapter II has been expanded to include two sections of the old Chapter III Provides Better logical sequencing.
  Section 3 now refers to legal recognition of electronic documents.

This is a reproduction of the earlier section 4.

  Section 4 now refers to legal recognition of "Electronic Signature which is reliable". "Reliable Electronic Signature is defined in Section 4 (2).

The definition of "Electronic Signature" does not make any significant change other than the satisfaction that if any new system comes into the technology space which can ensure data integrity and reliable authentication, it can be used instead of a combination of hashing and asymmetric cryptosystem which was the only method suggested earlier.

New section 4(2)(a) is ambiguous since it talks about linking data in electronic form to a signatory in physical form.

A new term called "Electronic Signature Creation Code" has been introduced without proper definition.

Section 5 is the re incarnation of the old Section 3 in respect of Digital Signature except that it now enables the Government to introduce any other form of Electronic signature.

There is a possibility of this section being abused with the Government being persuaded to validate systems which may not fulfill the strict criteria that  algorithms associated with the Digital Signatures. Strict vigil is required in this respect by technology experts.

The so called "Making ITA-2000 Technology Neutral" does not seem to have achieved any perceptible progress though nothing was in fact expected.

At the present juncture, there is no alternative to "Digital Signatures" and if the Government intends to introduce any alternate form of authentication, it's acceptability may be challenged.

6,7,8,9 These were the earlier enabling sections of the Act where the Government bodies could use electronic documents, means of payment receipt etc in their e-Governance activities. These continue without any change.

There was a need to make changes to accommodate digitization of manual records into electronic form on which there was some doubts. An opportunity has been missed.

  The only change is an enabling provision is the use of private partners in delivery of the service.

Welcome as a clarification but perhaps redundant.

10 Old Section 10 has been deleted as redundant

No Comments.

  New Section 10 A specifies that contract formation is possible with offer and acceptance being in electronic form.

This is stating the obvious. Redundant and could cause problems for transactions between October 17, 2000 and the new date of effect of this amendment.

It would have been better if this had not been introduced in this fashion and left to the extension of the Indian Contract Act through the section on legal recognition of electronic documents.

11.12,13 No significant change No Comments
14,15 No significant change No Comments
16 The section introduces consultation process with unspecified industry bodies.

Unnecessary since this is a procedural aspect of formation of the procedure.

This could mean that no such consultation is envisaged in respect of other notifications.

17,18,19 No significant change No Comments
20 Section deleted

The responsibility of the Controller to act as "Repository" has been removed. While the logic is that this should be the responsibility of the individual CA, the CCA has abdicated its responsibility for developing a trusted PKI infrastructure. This is an admission of the failure to provide a proper repository until now. The CAs also have not so far provided a satisfactory repository service and this will continue to be a lacuna in the system.

21 No significant change No Comments
22, 23 The amount of specified upper limit on the  fees deleted. Welcome
24,25,26,27 No significant change No Comments
28 The powers of the controller to investigate contraventions under the Act is sought to be clarified.

There appears to be a mistake in the draft published. There is ambiguity on whether the power of the Controller is limited to contraventions under this "Chapter" or under this "Act"

29 No significant change No Comments
30 Responsibility for maintaining repository specified for the CA.

Requires refiling of CPS by existing CAs

31,32,33,34 No significant change No Comments
35 Sub section (3) removed (4) modified

This change was due right from 2000 and was sought to be corrected by an administrative notification earlier. Better late than never.

  Fees specification removed Welcome
36 No significant change No Comments
37 Responsibility for suspension in public interest replaced with "under directions from controller" No Comments
38,39 No significant change No Comments
40 No significant change No Comments
41 Old Section 41 now renamed as 42 without any significant change No Comments
  New Section 41 A added to provide for alternate forms of Electronic Signatures. No Comments
42 Deleted with the comment that this is related to the subscriber-CA contractual relationship

This appears unwise. There was a statutory responsibility for securing the private key which has now been diluted to a contractual responsibility. This may affect the rights of a victim.

43 No significant change in 43 (1) which is a reproduction of earlier section except for the change of the word "Penalty" into "Compensation" No Comments
  Subsection (2) added to specify liability for a body corporate handling sensitive data

A redundant addition since the earlier section had already provided the cover. In re-defining the provision, individual owners of data appear to have been kept out of the purview of the section.

Notification on "What is Sensitive Personal Data?" is due.

  "Reasonable Security Practices" specified for data handlers

Notification of what constitutes "Reasonable Security Practices" is due.

  "Exceeding of Authority" included in "Without Permission"

Clarification welcome though considered redundant

44,45 No significant change No Comments
46 The words "Under this Chapter" omitted

This is an attempt to extend the jurisdiction of the adjudicator to offences coming under criminal category. In particular it is mentioned that the intention is to cover Section 72. This section refers to "Breach of Privacy" which is now sought to be extended to the cases of transmission of obscene messages. It has imprisonment and fine provisions.  Inter alia this section also tries to provide compensation to the victim. It also speaks of need for the victim to file a complaint with the Court.

 Not clear if the implications have been fully explored. There appears to be some contradictions in this regard in the proposed amendments.

47 No significant change No Comments
48-62 No significant change.. Except the change of name of Cyber Regulations Appellate Tribunal to Cyber Appellate Tribunal. No Comments
63 Deleted and indicated as moved to 44A in the official version.. However the new section appears to be 80 A and not 44A.

If it is intended to move 63 to 44 A, it is logical since it addresses compounding of contraventions under chapter IX.. 80 A appears after the Chapter XI and if Compounding is addressed here it should be interpreted as "Compounding is permitted for Chapter XI offences".

The correctness of the "Adjudicator"  being the "Compounding Authority"  for criminal offences is debatable.

64 No significant change No Comments
65 No significant change No Comments
66 The clause has been wholly re written with significant changes.

In the earlier version, "If information residing inside a computer had been injuriously affected by any means", and the person causing the injury was "Either Aware" or "Had the Intention" to cause damage, the section could have been invoked.

In the new version, the three prerequisites introduced are "Dishonestly", "Fraudulently" and "Without Permission".

Earlier for all offences 3 years punishment had been prescribed along with fine of RS 2 lakhs.

Now the punishment has been diluted to 1 year in some cases and 2 years in some other cases. Fine in some cases has been extended to RS 5 lakhs.

The net effect of the change is that the protection for information owners has been reduced from the earlier version. In the earlier version any means of affecting the information residing inside the computer including non electronic means could have been covered. Now the section appears to restrict its coverage to electronic access.

While removing the words "Hacking" and introducing the word "Computer related offences", the section reverts to "Offences resulting from Unauthorized Access" from a more generic description of the offence.

67 The clause has been wholly re written with significant changes.

The section directly seeks to  provide protection to intermediaries by invoking exception to intermediaries provided under Section 79.

The term of punishment for first offence is reduced from 5 years to 2 years and for second offence from 10 years to 5 years.

Child pornography is added separately with 3 and 7 years imprisonment for first and subsequent commission of the offence.

Amount of fine is also sought to be increased upto 10 lakhs under this section from the earlier 2 lakhs

68 No significant change No Comments
  New Section 68 A introduced

Use of Encryption is specifically recognized. An earlier presumption clarified.

69 Powers to order interception is taken over by the Government from the Controller Welcome
70 No significant change No Comments
71 The word "Intentionally" is added

Whether "Intentional Mis representation" is another form of "Fraud" can be debated.

72 Substantial change has been made to this section to extend its coverage to "Privacy Violations" of the Bazee.com type scandals.

The existing provision of making the holder of data collected in pursuance of this act (refers to CAs) liable for breach of confidentiality has been diluted by introducing the condition "Intentionally discloses". This makes CAs completely free form any liability. There has been an increase in the amount of fine which has no meaning under the circumstances.

Under subsection (2) also, by making the compensation conditional to "With intention to cause injury" to the data subject, the operation of the section as a privacy protection provision has been fully defeated not withstanding the amount of Rs 25 lakhs indicated as liability for damages.

The section combines compensation to victim and prosecution. Practical difficulties in invoking the grievance redressal mechanism needs to be debated.

The section seems to bye-pass the Police and makes it mandatory for the victim to approach a magistrate instead of the law enforcement officer.

The definition of "Private area" includes "undergarment clad" private parts also. Probably these definitions need a re-look.

75-78 No significant change No Comments
  A new section 78 A has been introduced to provide for defining the role of experts as "Digital Evidence Examiner" Welcome
79 The section is modified to protect intermediaries fully.

The definition of "Intermediaries" includes Cyber Cafes who appear to be the unintended beneficiaries of this largesse. According to the amended section, unless "Conspiracy" or "Abettement" is proved, intermediary is not liable. The liability arises only when the intermediary fails to act on a notice given about the commission of a crime and no preventive action is taken.

The need to provide such immunity has to be debated. This could create a precedence where every other segment can try to extract legal immunity for various offences. eg: A transport company may claim immunity for any offences involving the transport vehicle. etc.

80 Section has been deleted

It is strange that the power of the Police to search and arrest without warrant which had earlier been limited to the rank of DySPs and in public places is sought to be completely removed.

This could mean that Police may not have any power to search or arrest without warrant or may fall back upon the provisions of the Criminal Procedure Code where any Police officer in charge of the station can arrest or search without warrant in certain offences. This could be in conflict however with Section 78.

It appears that the committee has been vindictive on the Police for arresting corporate executives and did not want any powers to be given to the Police at all. Along with the requirement of complaint on under Section 72 to given directly to the Magistrate, there appears to be an attempt to eliminate the Police from the Law enforcement duties regarding Cyber Crimes.

It is not clear if this is acceptable in the larger interest of the society despite the possibilities of abuse of powers by the Police in some cases.

  New Section 80 A introduced

This section provides for compounding of offences and contraventions  by the controllers and adjudicating officers. If prosecution has already been launched then the compounding is to be brought to the notice of the Court by the controller or the adjudicator.

In other words, the controller or the adjudicating authority can frustrate a prosecution pending before a Court without the consent of the Court.

..An excellent recipe for bailing out corporate executives caught in Cyber Crimes.  It is now enough if the case is taken over by the adjudicator who is the IT Secretary of some state who can agree on compounding of the offence and notify the Court where the prosecution may be pending and the case shall stand dismissed.

81 Section 81 diluted to provide preference to Copyright and Patent Acts

The over riding effect of ITA has now been subordinated to two acts namely the Copyright Act and Patent Act. Perhaps the IPR lobby lead by MNC software developers have had an influence on this provision.

82,83,84 No significant change No Comments
85 Modified to protect Company executives

The liability arises only when the complainant proves that the offence took place with the connivance of the Company.

However the amendments have omitted to change the due diligence requirements which remains a necessity.

86 No significant change No Comments
87-94 No significant change No Comments

Naavi

August 30, 2005