Under ITA-2000, Sections 65, 66, 67 and 70 were the
principle clauses that defined some offences punishable under the Act.
Section 85 as well as 79 determined Corporate responsibility for crimes.
ITAA(p)-2005 (We shall use this abbreviation for the
amended act proposed by the "Expert Committee") has made
significant changes to Sections 66 and 67 as well as Sections 85 and 79.
The Committee which was expected to introduce
punishments for some offences like Spamming, Cyber Stalking, Cyber
Squatting, Cyber Terrorism etc chose to ignore these burning issues. Its
attempt on Data Protection has also been faulty.
The Cyber Crime Police Stations that have been set up
at different parts of the Country in the wake of increasing Cyber Crimes
may now become weak and irrelevant.
Judiciary has been further weakened. Now it is not only
in the case of Civil cases that Courts will not have a say (Except on
appeal at High Court level, but even the Magistrate Courts can be ousted
by an executive letter.
The net effect of these changes has been to make life
easy for criminals. As a result of these changes, many crimes will not get
recognized, investigations will be frustrated and convictions will be
rare. ...Naavi
The current ITA-2000 was enacted basically to remove
the hurdles for e-Commerce development. The principle objective was to
give legal recognition to transactions on the digital space. Incidentally
it was felt that current criminal laws may not be sufficient to address
the issues of Cyber Space and hence a few clauses were introduced under
Chapter XI to address specific offences in Cyber Space. Simultaneously,
Section 43 in Chapter IX addressed the needs of a victim of a Cyber Crime
to be compensated for the damages suffered. Leaving the offences related
to Digital Signatures and the System of Certifying Authorities associated
with it, the main clauses under which criminal offences were dealt with
were Sections 65,66,67 and 70.
Out of the above, Section 66 is one of the critical
clauses of ITA-2000 and the one which provided the greatest protection
from Cyber Crimes to the Digital Society. The earlier drafting had made a
slight error in giving a name to Section 66 offence, calling it as
"Hacking" which had created some confusion amongst computer users. The
reason was that the term "Hacking" had earlier been associated with the
activity of "Evaluating the vulnerabilities in the security of a
network". Hacking therefore referred to an attempt to enter a network
without authority and test the security barriers. Hackers were not the
people who had intention to cause damage or commit a crime. Their
intention was only to demonstrate that they can enter a network breaking
the security barriers. Those hackers who had a bad intention were called
"Crackers". It is for this reason that the Internet is replete with
"hacker clubs" which are not considered illegal associations.
If we leave aside the perception problems associated
with the general meaning associated with the term "hacking" in the net
community, the earlier Section 66 was an excellent omnibus definition of
offences against "Information Residing Inside a Computer". It is
worthwhile recalling this section which states as follows.
66.
Hacking with computer system
(1)
Whoever with the intent to cause or knowing that he is likely to cause
wrongful loss or damage to the public or any person destroys or deletes
or alters any information residing in a computer resource or diminishes
its value or utility or affects it injuriously by any means,
commits hacking.
(2)
Whoever commits hacking shall be punished with imprisonment up to three
years, or with fine which may extend up to two lakh rupees, or with
both.
As can be derived from the above, the section gave
recognition to a any act which resulted in "Affecting information residing
in a computer injuriously". Diminution of value as it happens when a
confidential information is shared with unauthorized persons was also
covered providing the much talked about "Data Security".
It could be observed that the section did not limit to
damage caused by "Entering the Network unauthorized". It could cover
damage by "Any Means" indicating that even a physical damage could be
covered.
What was required for making this section stick against
a person as an offence was either "Intention" or "Knowledge".
ie, If a person knew that his action may cause damage,
deletion, reduction in value or injury to information residing inside a
Computer, and any of these things do happen, then the Section 66 offence
is recognized with 3 years imprisonment liability.
This section therefore provided one of the highest
protections for data residing inside a computer.
It is unfortunate that the "Expert Committee" has not
understood the power of this section and now moved to make amendments
which actually dilute the data protection aspects that were available in
the section.
Now let us see what the amendment has proposed.
66 Computer
related offenses:
a)
If any person,
dishonestly or fraudulently, without permission of the owner or of any
other person who is incharge of a computer resource
(i) accesses
or secures access to such computer resource;
(ii) downloads,
copies or extracts any data, computer data base or information
from such computer resource including information or data held or stored in any
removable storage medium;
(iii) denies
or causes the denial of access to any person authorised to access
any computer resource;
he shall be
punishable with imprisonment upto one year or a fine which may extend up
to two lacs or with both;
(b) If any
person, dishonestly or fraudulently, without permission of the owner or
of any other person who is incharge of a computer resource
(i)
introduces or causes to be introduced any computer contaminant or computer virus into any
computer resource;
(ii)disrupts
or causes disruption or impairment of electronic resource;
(iii)
charges the
services availed of by a person to the account of another person by
tampering with or manipulating any computer resource;
(iv) provides any
assistance to any person to facilitate access to a computer resource in
contravention of the provisions of this Act, rules or regulations made thereunder;
(v) damages
or causes to be damaged any computer resource, date,
(Ed: May be a typographic
error for data), computer database, or
other programmes residing in such computer resource;
he shall be
punishable with imprisonment upto two years or a fine which may extend up
to five lacs or with both;
Explanation: For the purposes of this
section-
a. ‘Dishonestly’ –
Whoever does anything with the intention of causing wrongful gain to one
person, wrongful loss or harm to another person, is said to do this thing
dishonestly”.
b.
‘Fraudulently’ –
A person is said to do a thing fraudulently if he does that thing with
intent to defraud but not otherwise.
c.
“Without the
permission of the owner” shall include access to information that exceeds
the level of authorized permission to access.
It can be observed from the above that the committee
has removed the name "hacking" associated with the section, which is fine.
But the committee has diluted the earlier provision which could invoke the
section for "Injury" to information by "any means" with "Knowledge" or
"Intention" with several restrictions.
Now this section can be invoked only if the following
three conditions are satisfied.
a) Action should have been committed dishonestly or
b) Action should have been committed fraudulently or
c) Action should have been committed without authority
Secondly, while the scope of the section is limited to
a) Access
b) Downloading, copying or extraction of data
c) Introduction of Virus or Computer contaminant
d) Denial of Service
e) Causing disruption of service
f) Charging service availed to another person
g) Providing assistance to another person to contravene
h) Damaging the computer resource, data ( Ed: Date as
indicated in the section is presumed to be a typographic error)
The actions listed here in as offences are the same for
which civil liabilities are prescribed in Section 43. However, it has
escaped the collective wisdom of the "Expert Committee" that the words in
the earlier section such as "Diminution in value and injuriously affecting
information" already covered all these aspects and many more.
Also, by making dishonest and fraudulent intentions
prerequisites for the offence committed by an authorized person (remember
most cyber crimes are committed by authorized employees), the scope of the
section has been significantly restricted.
It is funny that the earlier section called it as
"hacking" and covered a whole gamut of Cyber Crimes while the amendment
calls it as "Offences relating to Computer" and restricts the coverage to
"Unauthorized Access".
The attempted amendment to Section 66 betrays the lack
of perspective knowledge of the expert committee and will continue to
haunt the Ministry officials which was part of the process. It is strange
that with people like Dr Vishwanathan available for consultancy, the
Ministry deliberately kept him out of the committee and ended up making
mistakes of the kind mentioned above. Dr Vishwanathan who was deeply
involved in the drafting of the earlier version was fully aware of even
the mistakes committed and not using his expertise can only be interpreted
as an attempt to keep out those who would not have gone with the
objectives that guided the amendment effort.
Additionally, since the period of imprisonment has been
brought down from 3 years to two years, Police will not be able to even
consider it a "Cognizable Offence" under CrPc (Even if such a possibility
existed). Hence Police will find it difficult to proceed with
investigations in cases of "Hacking". This coupled with the compounding
provisions which make it easy for any criminal to escape with a financial
loss makes it very easy for criminals to escape punishment.
Having discussed the changes made in Section 66, it is
necessary to add a few words to the discussion on "Composition" in case of
criminal offences provided in the amendments where the adjudicator or the
controller has been given the powers even when a case is under a Court.
(This was already discussed in yesterday's article).
It must be stated here that the concept of "Composition
of Criminal Offences" is relevant when "Innocent" persons "Without
intention to commit a crime" cause loss to the society and come under
similar actions which could be done intentionally. Such innocent persons
who may plead guilty and show remorse need to be provided an exit route
without being imprisoned. One classical example is say damage caused
through a road accident. Many times the driver who causes death to an
accident victim feels guilty himself and undergoes remorse. Composition is
relevant for such cases. In the earlier definition of Section 66 offence
there was a possibility of a person committing the offence without
intention. Hence Composition was relevant.
In the new definition, composition is less relevant
since a person who dishonestly or fraudulently commits hacking need not be
given the benefit of composition.
Naavi
September 1, 2005
