As soon as the new BJP Government has taken over and Mr Amit Shah became the Home Minister, an effort is being launched to examine the improvements that are required to be made for better Cyber Crime control.
Essentially, the following questions have been raised:
- What is the existing legal framework to deal with cybercrime?
- What are the difficulties being faced in prevention, detection, investigation & prosecution of cybercrime?
- What specific problems/Gaps being faced in the legal framework to deal with cybercrime?
- What changes are required in the legal framework to deal with cybercrime more effectively?
- Whether there is need to provide a legal definition for “cybercrime”?
- Whether any amendments are required in CrPC, IPC IT ACT, 2000 or any other law to improve effectiveness of LEA’s in dealing with cybercrimes?
- Whether any amendment is required in any Law/Rules that will enhance Awareness/Capability of police personnel about the cybercrimes?
While the intention of the Government is good, it is necessary that the exercise does not end up with just the tinkering of a few legal sections in different laws.
Already, there is a Section 69 ITA 2000/8 notification which is being challenged in the Supreme Court and the Intermediary guidelines under Section 79 that is also being debated and eventually reach the Supreme Court. The PDPA with whatever revisions the Government may do (diluting the Data Localization and penal provisions) will also find itself in the Supreme Court eventually.
Tinkering with the laws will only have marginal impact on improving the situation. It will take a long time for the change of law to come into effect as we know how Section 66A continues to be invoked despite its removal.
While certain changes in law could be helpful, the Government needs to look beyond the tinkering with laws and change the fundamental structure of Cyber Policing. A brief suggestion therefore is as follows.
Create a National Cyber Police Force
Today, law enforcement is the State Subject and hence the state Governments have a say in the laws that affect Cyber Crime prevention, investigation and prosecution.
ITA 2000 itself is a central law for the “Cyber Space” and State Government has only powers to make follow up laws to implement the the law as it is and cannot enact new laws for the Cyber Space. If “ITA 2000” had been considered as the “Law of Cyber Space within the jurisdictional control of India”, then the entire responsibility to manage Cyber Crimes from Cyber Intelligence to Prosecution should be the responsibility of the Central Government. This makes sense because Cyber Space is known to be border less and crimes occur across national boundaries. If therefore we donot recognize that it can also occur across the State Boundaries and needs to be managed as a concept of “Crime in Indian Cyber Space”, we will not see substantial improvement in the way we prevent Cyber Crimes.
Despite the fact that ITA 2000 is a central law and States have no power to super impose local laws some states have enacted laws separately for Cyber Cafes assuming the right to make law for “Cyber Operations in a State”. Some have attacked Social Media in the State with guidelines from the local police etc. The Cyber Crime police stations are also set up locally with police transferred from the regular cadre and shifted back after a brief stint. This structure is not conducive to efficient Cyber Crime policing.
We therefore need to beak out of this constraint and re define the legal framework for Cyber Crimes by starting with creating a National/Indian Cyber Crime Police Force. (ICCPF).
We presently have the CBI and NIA or CRPF which act across the State Boundaries. Even these organizations are often been frustrated by the States not giving permissions for investigation due to political reasons.
As we go forward, similar obstructions will be placed on Cyber Crime investigations also when the investigation, arrest etc has to occur beyond a state boundary.
Unless we remove this hurdle, we will not make any substantial progress.
Skill Development and Career Opportunities
We often blame “ignorance” as a reason for inefficient Cyber Crime management. While the need for knowledge and up gradation of knowledge is eternal, it cannot be an excuse for every problem in Cyber Crime management.
The reason why skilled Cyber Crime investigators may not be around is that the current force of Cyber Crime police get transferred before they acquire sufficient skill and expertise and get replaced with others who have to again go through the learning cycle.
Creation of the Special Cyber Crime Police force will enable a long term stint for the police in the division and acquisition and use of their skills.
The availability of such a national Cyber Crime police force will enable a career path for the technically minded police who prefer to work with the computers rather than with the lathis.
The T.K.Vishwanathan Committee which gave a few suggestions for amending ITA 2000 suggested changes to the CrPc also which included creation of district level expert committees to assist the police and a state level DGP-Cyber Crimes. The States however did not take the hint and implement the suggestions. Now the National Force for Cyber Crimes can create such State level apex police officer who is the single apex authority for any Cyber Crime issue in the State supporting a national level structure all the way upto the National Head of the Cyber Crime Police Force.
Judicial Support
The ITA 2000 created a separate adjudication forum to settle Civil Disputes but left the handling of Cyber Crimes with the legacy criminal justice system.
This legacy system is not suitable for handling Cyber Crime prosecutions since just like the Police there is a need to build expertise in the Judicial officers also to understand the nuances of Cyber Crime, Data Protection related issues etc.
It is therefore necessary for the Government to consider special Magistrate Courts for Cyber Crimes at least for a cluster of few districts in each state.
Naturally this requires the cooperation of the Judiciary which I hope should be available.
Defining Cyber Crime
It is not necessary that there should be a legal definition for “Cyber Crime”. Any offence where the electronic document is either a target or a tool automatically qualifies to be called a Cyber Crime. Depending on the cause of action, it may be handled under ITA 2000 or IPC etc.
However, if a definition is really required, we need to define “Cyber Crime” as a “Crime in Cyber Space”.
Cyber Space is the “Imaginary space created by binary expressions”.
Cyber Crimes first affect a Cyber identity or a virtual person or property. The definition should recognize this. Later the adverse impact on the Virtual victim is felt by a physical entity.
Most of the problems we encounter today is because we try to jump directly from a Cyber Crime to a Physical victim.
Proving damage to a Virtual Victim by a Virtual offender (John Doe) is often easier. But identifying who is the victim and who is the perpetrator in terms of their physical identities and bring them under the Criminal Procedure Code often creates a problem.
We therefore needs to find a solution to separate the two issues.
While proving a Crime is a judicial requirement, identifying and mapping a virtual identity to a physical identity is a more a technical requirement.
I have suggested earlier that this “Mapping of physical identity to virtual identity” which requires IP resolution, breaking the anonymization of criminals by intermediaries needs to be tackled with stronger implementation of regulations of the intermediaries.
The Golden Hour Principle
It is well known that the failure of Cyber Crime investigation is often because the police delay the investigation for various reasons including indecision on whether a reported incident is afterall a crime or not and if so how serious it is etc.
In most cases by the time they initiate investigative action the horses would have bolted.
It is therefore necessary that “Discretion” for the police whether to investigate or not needs to be removed by making online registration of complaints mandatory.
Along with this, an enforceable notice to the intermediaries such as Gmail to reveal the privacy masks on IP address in respect of registered complaints without the need for a formal police intervention needs to be considered.
This will remove part of the corruption in the Police force that makes the Cyber Crime Police Station keep arguing with the complainant why the complaint cannot be registered and why it should be registered by another Police Station and not himself etc.
I hope some of these changes are considered by the Government.
I invite the public to send their comments either here or directly to the Secretary Ministry of Home (E Mail: hshso @nic.in) on any of the matters discussed above.
Naavi