Recommendations made by ASCL to Government of India for amendments to the Information Technology Act, 2000

Introduction

The Indian Information Technology Act, 2000 (hereinafter referred to as "the Act") is one of the most important pieces of legislation in the recent past. This statute reaffirms India’s commitment towards building a knowledge-based society and keeping pace with the rest of the world by providing a legal framework within which such a society can flourish.

The Act not only addresses issues related to electronic commerce by providing a framework for the establishment of a Public Key Infrastructure in the country, but it also addresses the issues of cyber crime and admissibility of digital evidence through the various provisions incorporated within the Act in itself and by way of amendments in other statutes.

However, the ever changing and dynamic information technology sector has already, within three years of the commencement of the Act, made it imperative to review the Act as there seems to be an ever increasing view by the industry, academicians, professionals and the general public that the Act needs to be re-analyzed in its entirety. This need for analysis arises so that the weaknesses that were already present in the Act and have later crept into it, creating ambiguities, can be eliminated.

Asian School of Cyber Laws accordingly recommends that the following changes in the Act be incorporated by way of amendments, additions and deletions to help achieve the objectives for which the legislation was brought into force.

Recommendation 1:
Amendment of the Preamble to the Act

The Preamble to an Act expresses the scope, object and purpose of the Act. It provides the intention behind framing the legislation. It is settled law that a preamble can be used for construing a provision in case of ambiguity within the Act. The role of the Preamble in an Act therefore cannot be curtailed.

Surprisingly, the Preamble to the Information Technology Act, 2000 omits to even mention cyber crime or computer based crimes whereas an entire chapter of the Act itself deals with such crimes. In the absence of any provision in the Preamble, it would be an onerous task for the Judiciary to construe any provision relating to offences under the Act, in case of any ambiguity.

Thus, it is recommended that the Preamble to the Act be amended to include addressing of cyber crimes as being one of the objectives of the Act.

Recommendation 2:
Legislation relating to privacy

Privacy and data protection are important issues that need to be addressed today as information technology assumes greater importance in personal, professional and commercial spheres. The European Union and the United States have strict policies relating to privacy and protection of personal data when such data or information is being transferred out of their domain.

It also pertinent to note here, that the absence of a specific privacy law in India has resulted in a loss of substantial foreign investment and other business opportunities. This deficiency has also served as an obstacle to the real growth of electronic commerce. Thus, a statute addressing various issues related to privacy is of utmost importance today. Accordingly, it is recommended that a statute addressing the issues of privacy be brought into force as soon as possible.

However, if it is deemed fit that an entire and separate legislation not be brought into force, it is nevertheless recommended that specific provisions relating to privacy and data protection be incorporated into a separate chapter by way of an amendment to the Act.

Recommendation 3:
Allowing for technology-neutral methods
of authentication of electronic records

The Information Technology Act, 2000 is based upon the UNCITRAL Model Law on electronic commerce. However, where the UNCITRAL Model Law has chosen to adopt a technology-neutral approach towards authentication of electronic records, the Information Technology Act, 2000 has deviated from that approach. The Act has made technology specific stipulation inasmuch as it provides for authentication of electronic records only through digital signatures.

The pitfalls of such an approach are obvious considering the fast-paced growth of technology. Recent amendments to the Act only confirm this. Since frequent amendments to any legislation are cumbersome and undesirable, there is a need to make the Act technology neutral by making suitable modifications in section 3 of the Act.

Recommendation 4:
Issues relating to e-commerce transactions

With online commerce growing by leaps and bounds, it has become important that organizations seeking to do business through web sites must have a level of trust associated with them. A mere web presence does not provide any information about the credentials of a commercial organization. Operators of fraudulent websites have managed to dupe innocent persons out of millions of rupees due to lack of verification or authentication of such websites.

To deter such operators and to encourage public confidence in online commerce, it is recommended that provisions for obtaining digital signature certificates compulsorily for such websites be incorporated in the Information Technology Act, 2000 thereby conferring a degree of authenticity on these websites and eliminating fraudulent transactions to a great extent.

Recommendation 5:
Removal of provisions relating to
secure digital signature and security procedure

Section 15 of the Act introduces the concept of a secure digital signature and section 16 of the Act lays down the considerations in light of which a security procedure is to be applied to a digital signature for the purposes of a secure digital signature.

However, on careful analysis of the provisions relating to the definition of a digital signature it becomes clear that the process of creating a digital signature itself satisfies the criteria laid down in section 15 of the Act. Hence, the need for a secure digital signature becomes redundant. Further, the criteria stipulated in the various sub-sections of section 16 which need to be fulfilled for laying down the security procedure for a secure digital signature are themselves abstract and vague. Section 15 of the Act seems to have been inspired by section 16 of the Electronic Transactions Act 1988 of Singapore. However, the Singapore Act recognizes an electronic signature and hence such a provision holds water under that Act.

Since the Information Technology Act 2000 does not recognize the concept of an electronic signature it is recommended that sections 15 and 16 of the Act and all other sections,which are incidental to these sections be removed from the Act to avoid uncertainty and confusion.

Recommendation 6:
Duties of the Controller

Section 20 of the Act lays down one of the duties of the Controller where the Controller acts as repository for all Digital Signature Certificates issued under the Act. The section specifies that the Controller shall observe necessary standards to ensure that the “secrecy and security” of the digital signature certificates are assured.

Digital Signature Certificates are public documents inasmuch they have to be published to allow verification of a digital signature. Therefore, there are no secrecy requirements of digital signature certificates. Hence, it is recommended that the words “secrecy and” in section 20(2)(b) be removed from the Act.

Recommendation 7:
Controller’s power to investigate contraventions

Section 28 of the Act confers power upon the Controller to investigate any contraventions for the provisions of the Act. This clearly vests the Controller with the power to investigate penalties under chapter IX of the Act and offences under Chapter XI of the Act.

However, the appropriate law enforcement agencies are also empowered to investigate offences under Chapter XI of the Act. Such a conflict of powers under the act gives rise to possibilities of inconsistencies between the two agencies. To avoid such difficulties, it is recommended that the Controller’s power to investigate be limited to penalties under chapter IX of the Act and not extend to offences under chapter XI.

It is also further recommended that appropriate amendments be made to provide for the detailed procedure to be followed by the Controller to investigate the penalties under Chapter IX of the Act.

Recommendation 8:
Key escrow and archival facilities for Private Keys

Digital signatures are an application of asymmetric key cryptography where a private key and a public key are used for the purposes of digital signature and encryption. The secrecy and security of the private key wherever an asymmetric crypto system is used is of paramount importance.

It is for this reason that key escrow and archival becomes necessary. Thus it is recommended that provisions for key escrow be introduced in the Act for the government and its agencies wherever asymmetric key cryptography and digital signatures are being used. This will prevent piquant situations that would arise if a private key is lost, becomes unusable or is compromised.

Recommendation 9:
Clarification on simultaneous proceedings

The Act provides for damages of up to one crore rupees to be paid to the aggrieved party for each of the penalties under chapter IX of the Act and also provides for prosecution for certain class of penalties which can be categorized as offences under chapter XI of the Act.

Distinct remedies exist for distinct acts and/or omissions. Penalties, which are adjudicated upon by way of civil proceedings, provide for compensation to the aggrieved party. Criminal proceedings on the other hand are aimed at penalizing the offender for and preventing others from carrying out criminal activities. Due to the nature of penalties and offences under the Act, it should be made possible for a person who is aggrieved to seek both compensation and punishment without any one proceeding creating a bar for the other.

Therefore, it is recommended that a specific provision be incorporated in the Act, laying down that proceedings initiated under chapter IX of the Act should not serve as a bar to proceedings initiated simultaneously under chapter XI of the Act against the offender.

Recommendation 10:
Provisions to cover credit card fraud

Although chapter IX has specified a number of acts as penalties under section 43 entitling a person to compensation under the said section, it has omitted to address credit card frauds on the Internet.

Credit cards are the primary means through which payments for goods and services are made on the Internet today. However, the public nature of the medium makes use of credit cards on the Internet a dangerous proposition unless adequate precautions are taken to prevent its abuse.

The latter observation is vindicated by the fact that the number of credit card thefts amount to over 33% of data thefts reported by ASCL-CERT for the year 2001-2002. On a larger canvass, this is much more damaging with numerous incidents relating to credit cards being reported daily.

Although an attempt has been made to address this through the provisions of section 43(h), the wordings of the said section are rather vague and ambiguous to be interpreted as addressing credit card frauds/thefts. Thus, it is recommended that the term credit card be defined appropriately and a specific provision providing for compensation to an aggrieved party for credit card frauds/thefts be incorporated under section 43.

Recommendation 11:
Issues related to spamming

Unsolicited e-mail messages are proving to be a menace to the netizen, irrespective of the strata or class to which the netizen belongs. The phenomenon, commonly known as spamming, is given effect to by commercial organizations and fraudsters that target consumers to swindle an unsuspecting web-surfer.

Since, spamming is a cost effective method and gives wider reach, the problem has attained menacing proportions today. Spamming results in wastage of time and resources and is a constant source of harassment to the targetted person. This predicament is severe enough for many countries to have declared spamming as a criminal offence.

While acknowledging the fact that spamming can be a source of constant nuisance, it must be put forward that in most instances spamming hardly gives rise to serious financial loss. In the Indian context, it would be inappropriate to make spamming a criminal offence or an act, which would draw liability under section 43.

Firstly, tracing the perpetrators of this activity is extremely difficult technically. Secondly, it must be kept in mind that the criminal and civil justice system in India is already overburdened. Under such a situation, if spamming is made an offending activity, which attracts legal liability, there will be a flood of litigation that will further burden the courts and make it near impossible to adjudicate upon this issue.

It is worth noting here that if spamming does result in severe financial loss, e.g., in cases where it causes denial of access and damage to computer systems, section 43 of the Act provides for compensation up to one crore rupees to the affected person. Thus, it is recommended that under the present circumstances there is no requirement to categorize spamming per se as an activity that gives rise to any legal right or impose any liability.

Recommendation 12:
Issues related to cyber stalking

With the Internet turning into a virtual meeting place for people, the problem of cyber stalking has become a perceivable threat. Cyber stalking involves a person following a web-surfer through cyberspace in spite of objections by the latter. This causes severe mental agony and stress to the person being stalked. The affected person at times gives up using the Internet or has to seek a change of persona/identity with which he/she has come to be associated with.

Merely stating what cyber stalking involves cannot throw light upon the seriousness of this crime and the adverse way in which it affects the victims of stalking; mostly women and children. Thus, it is recommended that section 509 of the Indian Penal Code, 1860 be amended suitably to accommodate cyber stalking and aprovision should be inserted in section 43 of the Act to provide for compensation to a victim of cyber stalking.

Recommendation 13:
Issues relating to trivial acts

The use of computers and the Internet have increased the value of information tremendously. Hence, causing damage to information has been penalized under the Act. At the same time, it must be kept in mind that the amount of compensation provided for under chapter IX of the Act can prove to be a great impetus for people to enter into frivolous litigation for trivial causes in the hope of financial gain.

Thus, there is an urgent need for incorporation of a provision in the Act on lines similar to section 95 of the Indian Penal Code, 1860, which excludes “acts causing slight harm” from being offences under the Act.

Recommendation 14:
Residuary penalty

Section 45 of the Act provides for residuary penalty of twenty-five thousand rupees for contraventions for which no separate penalty is provided under the Act. Considering that compensation under section 43 of the Act is upto one crore rupees it is advisable that even residuary penalty be increased appropriately. Looking at the value of information stored or transmitted by means of computers, it is recommended that the amount of residuary penalty provided for in section 45 is increased so that the financial loss caused by any act, for which a penalty is not specifically provided, is compensated adequately.

Recommendation 15:
Online gambling

Online gambling is a serious issue that has not been addressed under any Indian law. The Internet makes it very easy for any person to gamble using a web site which may be hosted anywhere in the world. The anonymity offered by the Internet allows operators of fraudulent web sites to dupe unsuspecting surfers of their money and escape prosecution.

Keeping in view the seriousness of the matter, it is recommended that appropriate amendments may be made in the Gambling Prevention Act to address online gambling.

Recommendation 16:
Stamp duty for filing application before the Adjudicating Officer

Notification No: G.S.R.220 (E) dated 17th March 2003 vide Information Technology (Qualification and Experience of Adjudicating Officers and Manner of Holding Enquiry) Rules, 2003 provides for payment of a fee for filing an application before an adjudicating officer. However, provisions relating to the Appointment and powers of the adjudicating officer under the Act make no mention of any fees to be paid for the purpose of filing an application before the Adjudicating Officer.

Therefore, the stipulation that any fees have to be paid to file an application before an adjudicating officer is completely ultra vires the Act. It may be mentioned that any provision, unless specifically stated under a statute, need not be complied with and hence the proviso to make any payment as fees towards the application vide the rule, as mentioned above, would not be legally valid.

Thus, it is recommended that the said notification relating to payment of fees for filing of application be rendered inoperable.

Recommendation 17:
Issues relating to computer based crimes

The Act through chapter XI and through various amendments to the Indian Penal Code has addressed issues related to computer-based crimes. However, the following substantial issues relating to computer crimes have not been addressed under the Act:

  1. Tampering with computer source codeSection 65 of the Act provides for punishment of tampering with source code of a computer program. However, the wordings of section 65 are ambiguous and vague. The section applies to computer source codes “which are required to be kept or maintained by law for the time being in force...”. In the absence of any clarification as to which programs “are required to be kept or maintained by law”, the application of the provision to an act involving tampering or concealing computer source documents is doubtful. Thus, it is recommended that section 65 be reworded to remove the ambiguity existing in the section.
  2. Creation of harmful programsViruses, worms and other malicious programs cause losses amounting to millions of rupees every year. Disseminating a computer virus or any other kind of malicious computer program has become very easy with the advent of the Internet. Accordingly, hundreds of malicious computer programs are released everyday and spread rapidly through the use of the Internet. In the absence of any penal provision to punish the creator of a malicious computer program, such activities are rampant and these situations adversely affect computer users across the world.

    Though section 66 of the Act provides punishment for damaging, deleting, or altering information in a computer resource i.e. under the provisions of Hacking, it does not penalize the creator of a harmful program, whose acts can result in hacking. A careful analysis of section 66 also reveals that the section is applicable to “information stored in a computer resource”. These wordings therefore make the provision inapplicable to data in transit.

    Thus it is recommended that section 66 of the Act be suitably amended to penalize the creator of a harmful or malicious computer program and to make it applicable to data that is in transit.

  3. Encrypted communicationCryptography is proving to be a deadly tool in the hand of terrorists and criminals. Disturbing trends are emerging where criminals and terrorists have been using encrypted communication to co-ordinate and execute their nefarious activities.

    Section 69 of the Act penalizes a person in charge of a computer resource who fails to assist an investigating agency directed by the Controller to intercept information and decrypt encrypted communication from that computer resource.

    However, section 69 is narrow in its scope as it is applicable only for cases specified therein. Also, a written order from the Controller authorizing such interception or decryption is a key ingredient of that section.

    Considering the present situation where emails and the Internet are fast becoming the primary means of communication, it is recommended that the scope of section 69 be widened. The enhancement should be in a manner, which would make it possible to apply section 69 for matters other than those cited. Additionally, the requirement for the Controller’s authorization to be recorded in writing should be eradicated. Instead, such an order should be given by any competent authority appointed or notified by the Appropriate Government to the investigating agency for interception of information and decryption of data.

Recommendation 18:
Protected systems

Certain computer systems, by the nature of information stored in them and by virtue of their operations which are processed through them, should be protected from misuse and intrusion. Computer systems utilized for security, defence or international relations; communications infrastructure, banking or financial services; public utilities, public transportation or for purposes of public key infrastructure would ideally fall under this category. Hence, many countries provide for enhanced punishment for unauthorized access or for any kind of damage caused to such computer systems. These computer systems are generally given the name “protected systems”.

Section 70 of the Act provides for enhanced punishment for accessing or attempting to access computer systems, which are declared as “protected” computer systems under the said section. However, the procedure for declaring such computer systems as protected as laid down under section 70 is cumbersome and lengthy. There is a need to simplify the procedure required for declaring a computer system as being protected under section 70.

Keeping the Singapore model in mind it is advisable and recommended that section 70 of the Act should be suitably amended to include several types of sensitive systems and therefore avoid the cumbersome procedure that is enumerated in the present section. It is therefore recommended that instead of specifically requiring the appropriate government to declare a computer system as being protected by notification, it would be appropriate to specify the category of “protected computer systems” in the Act itself.

Recommendation 19:
Issues relating to Extraterritorial jurisdiction

Section 75 of the Act provides for extraterritorial jurisdiction for offences or contraventions under the Act. According to section 75, the Act shall apply to an offence or contravention committed outside India by any person if the act or conduct constituting the offence involves a computer, computer system or computer network located in India.

A careful reading of section 75 reveals that such extraterritoriality is applicable only to offences under the Act. It is significant to note here that a class of cyber crimes is also defined under the Indian Penal Code, 1860 due to the amendments made to the latter by the Act. As per section 75, those crimes would be excluded from the purview of extraterritoriality that exists for offences under the Information Technology Act 2000.

Thus, it is recommended that section 75 of the Act be amended to confer extraterritorial jurisdiction for offences committed and penalized under other statutes.

Recommendation 20:
Admissibility of electronic records

The Act, by virtue of amendments made to the Indian Evidence Act 1872, has made electronic records admissible as evidence in a court of law. The amendment has far reaching implications for leading evidence in cyber crime cases.

However, the provisions of section 65B (2), which need to be fulfilled for making electronic records admissible in a court of law are unclear and vague. The said provisions throw no light upon how to fulfill the conditions mentioned therein. In the absence of any clarity, it is doubtful as to the procedure to be followed to make electronic records admissible in a court of law under section 65B (2).

Thus, it is recommended that section 65B (2) of the Indian Evidence Act, 1872 be simplified by way of amendment to render it clear and unambiguous.

Recommendation 21:
Investigation of offences

The power to investigate offences under the Act has been conferred upon a police officer of the rank of a Deputy Superintendent of Police or above. However, such investigation should not be rank specific as at many times officers of the said rank or above do not have the time required to investigate each offence registered under the Act.

Thus, it is recommended that sections 78 and 80 of the Act be amended to allow for investigation of offences registered under the Act by a police officer irrespective of his rank. This will lessen the burden on the shoulders of a high-ranked police officer for investigating each and every crime under the Act and at the same time allow for adequately addressing the grievances of an affected party at a much faster pace.

Recommendation 22:
Liabilities of Internet Service Providers

In an Internet based transaction, the role played by network service providers is vital as without the assistance of a network service provider, communication would not be possible over the Internet. The role played by Network Service Providers in Internet communication compels them to deal with third party information at various stages.

It is also worth mentioning that Network Service Providers can be classified into distinct categories, e.g., Internet Service Providers and application Service Providers according to the nature of service provided by them. Under such circumstances, the rights and liabilities of various classes of Network Service Providers should be clearly spelt out by virtue of provisions under the Act.

Although, section 79 of the Act tries to address the liability of a Network Service Provider, it does not clearly spell out or lay down their rights and liabilities. This may create apprehensions in the mind of organizations wanting to invest in such businesses.

Thus, it is recommended that additional provisions be included in the Act under chapter XII to clearly address the rights and liabilities of Network Service Providers so as to give impetus for investment in these areas.

Recommendation 23:
Public servants

The quantum of compensation to be paid to an affected person due to penalties committed under chapter IX of the Act are to be decided by an adjudicating officer to be appointed by the Central Government.

Section 82 of the Act has declared certain class of authorities appointed under the Act as public servants. However, adjudicating officers and members of the Cyber Appellate Regulations Tribunal have been left out of the purview of section 82.

Thus, it is recommended that section 82 be amended to bring adjudicating officers and members of the Cyber Appellate Regulations Tribunal within the definition and meaning of Public Servants so that they also assume the duties and obligations of a public servant.

Recommendation 24:
Issues relating to removal of difficulties

The Act marks a new era in regulation of electronic commerce and addressing cyber crimes. The initial difficulties created in the implementation of the Act were sought to be overcome by the powers granted to the Central Government to pass orders for removing those difficulties.

However, the Act has been in force since 2000 hence there is no requirement for section 86 which provides for removal of difficulties by orders of the Central Government within two years of commencement of the Act.

Thus, it is recommended that section 86 be repealed in light of its redundancy.

Recommendation 25:
Insertion and deletion of certain definitions

The concept of “traffic data” or data in transit has not been introduced in the Act. Therefore, no provisions in the Act address issues relating to information or data in transit. It is imperative that, keeping the amendment to section 66 in mind, an appropriate definition of “traffic data” be incorporated in the Act.

It is also recommended that the definition of “security procedure” vide section 2(zf) of the Act should be removed since the term is redundant considering recommendation 5.