The Indian Information Technology Act, 2000 (hereinafter referred to as "the Act") is one of the most important pieces of legislation in the recent past. This statute reaffirms India’s commitment towards building a knowledge-based society and keeping pace with the rest of the world by providing a legal framework within which such a society can flourish.
The Act not only addresses issues related to electronic commerce by providing a framework for the establishment of a Public Key Infrastructure in the country, but it also addresses the issues of cyber crime and admissibility of digital evidence through the various provisions incorporated within the Act in itself and by way of amendments in other statutes.
However, the ever changing and dynamic information technology sector has already, within three years of the commencement of the Act, made it imperative to review the Act as there seems to be an ever increasing view by the industry, academicians, professionals and the general public that the Act needs to be re-analyzed in its entirety. This need for analysis arises so that the weaknesses that were already present in the Act and have later crept into it, creating ambiguities, can be eliminated.
Asian School of Cyber Laws accordingly recommends that the following changes in the Act be incorporated by way of amendments, additions and deletions to help achieve the objectives for which the legislation was brought into force.
Amendment of the Preamble to the Act
Surprisingly, the Preamble to the Information Technology Act, 2000 omits to even mention cyber crime or computer based crimes whereas an entire chapter of the Act itself deals with such crimes. In the absence of any provision in the Preamble, it would be an onerous task for the Judiciary to construe any provision relating to offences under the Act, in case of any ambiguity.
Thus, it is recommended that the Preamble to the Act be amended to include addressing of cyber crimes as being one of the objectives of the Act.
Legislation relating to privacy
It also pertinent to note here, that the absence of a specific privacy law in India has resulted in a loss of substantial foreign investment and other business opportunities. This deficiency has also served as an obstacle to the real growth of electronic commerce. Thus, a statute addressing various issues related to privacy is of utmost importance today. Accordingly, it is recommended that a statute addressing the issues of privacy be brought into force as soon as possible.
However, if it is deemed fit that an entire and separate legislation not be brought into force, it is nevertheless recommended that specific provisions relating to privacy and data protection be incorporated into a separate chapter by way of an amendment to the Act.
Allowing for technology-neutral methods
of authentication of electronic records
The pitfalls of such an approach are obvious considering the fast-paced growth of technology. Recent amendments to the Act only confirm this. Since frequent amendments to any legislation are cumbersome and undesirable, there is a need to make the Act technology neutral by making suitable modifications in section 3 of the Act.
Issues relating to e-commerce transactions
To deter such operators and to encourage public confidence in online commerce, it is recommended that provisions for obtaining digital signature certificates compulsorily for such websites be incorporated in the Information Technology Act, 2000 thereby conferring a degree of authenticity on these websites and eliminating fraudulent transactions to a great extent.
Removal of provisions relating to
secure digital signature and security procedure
However, on careful analysis of the provisions relating to the definition of a digital signature it becomes clear that the process of creating a digital signature itself satisfies the criteria laid down in section 15 of the Act. Hence, the need for a secure digital signature becomes redundant. Further, the criteria stipulated in the various sub-sections of section 16 which need to be fulfilled for laying down the security procedure for a secure digital signature are themselves abstract and vague. Section 15 of the Act seems to have been inspired by section 16 of the Electronic Transactions Act 1988 of Singapore. However, the Singapore Act recognizes an electronic signature and hence such a provision holds water under that Act.
Since the Information Technology Act 2000 does not recognize the concept of an electronic signature it is recommended that sections 15 and 16 of the Act and all other sections,which are incidental to these sections be removed from the Act to avoid uncertainty and confusion.
Duties of the Controller
Digital Signature Certificates are public documents inasmuch they have to be published to allow verification of a digital signature. Therefore, there are no secrecy requirements of digital signature certificates. Hence, it is recommended that the words “secrecy and” in section 20(2)(b) be removed from the Act.
Controller’s power to investigate contraventions
However, the appropriate law enforcement agencies are also empowered to investigate offences under Chapter XI of the Act. Such a conflict of powers under the act gives rise to possibilities of inconsistencies between the two agencies. To avoid such difficulties, it is recommended that the Controller’s power to investigate be limited to penalties under chapter IX of the Act and not extend to offences under chapter XI.
It is also further recommended that appropriate amendments be made to provide for the detailed procedure to be followed by the Controller to investigate the penalties under Chapter IX of the Act.
Key escrow and archival facilities for Private Keys
It is for this reason that key escrow and archival becomes necessary. Thus it is recommended that provisions for key escrow be introduced in the Act for the government and its agencies wherever asymmetric key cryptography and digital signatures are being used. This will prevent piquant situations that would arise if a private key is lost, becomes unusable or is compromised.
Clarification on simultaneous proceedings
Distinct remedies exist for distinct acts and/or omissions. Penalties, which are adjudicated upon by way of civil proceedings, provide for compensation to the aggrieved party. Criminal proceedings on the other hand are aimed at penalizing the offender for and preventing others from carrying out criminal activities. Due to the nature of penalties and offences under the Act, it should be made possible for a person who is aggrieved to seek both compensation and punishment without any one proceeding creating a bar for the other.
Therefore, it is recommended that a specific provision be incorporated in the Act, laying down that proceedings initiated under chapter IX of the Act should not serve as a bar to proceedings initiated simultaneously under chapter XI of the Act against the offender.
Provisions to cover credit card fraud
Credit cards are the primary means through which payments for goods and services are made on the Internet today. However, the public nature of the medium makes use of credit cards on the Internet a dangerous proposition unless adequate precautions are taken to prevent its abuse.
The latter observation is vindicated by the fact that the number of credit card thefts amount to over 33% of data thefts reported by ASCL-CERT for the year 2001-2002. On a larger canvass, this is much more damaging with numerous incidents relating to credit cards being reported daily.
Although an attempt has been made to address this through the provisions of section 43(h), the wordings of the said section are rather vague and ambiguous to be interpreted as addressing credit card frauds/thefts. Thus, it is recommended that the term credit card be defined appropriately and a specific provision providing for compensation to an aggrieved party for credit card frauds/thefts be incorporated under section 43.
Issues related to spamming
Since, spamming is a cost effective method and gives wider reach, the problem has attained menacing proportions today. Spamming results in wastage of time and resources and is a constant source of harassment to the targetted person. This predicament is severe enough for many countries to have declared spamming as a criminal offence.
While acknowledging the fact that spamming can be a source of constant nuisance, it must be put forward that in most instances spamming hardly gives rise to serious financial loss. In the Indian context, it would be inappropriate to make spamming a criminal offence or an act, which would draw liability under section 43.
Firstly, tracing the perpetrators of this activity is extremely difficult technically. Secondly, it must be kept in mind that the criminal and civil justice system in India is already overburdened. Under such a situation, if spamming is made an offending activity, which attracts legal liability, there will be a flood of litigation that will further burden the courts and make it near impossible to adjudicate upon this issue.
It is worth noting here that if spamming does result in severe financial loss, e.g., in cases where it causes denial of access and damage to computer systems, section 43 of the Act provides for compensation up to one crore rupees to the affected person. Thus, it is recommended that under the present circumstances there is no requirement to categorize spamming per se as an activity that gives rise to any legal right or impose any liability.
Issues related to cyber stalking
Merely stating what cyber stalking involves cannot throw light upon the seriousness of this crime and the adverse way in which it affects the victims of stalking; mostly women and children. Thus, it is recommended that section 509 of the Indian Penal Code, 1860 be amended suitably to accommodate cyber stalking and aprovision should be inserted in section 43 of the Act to provide for compensation to a victim of cyber stalking.
Issues relating to trivial acts
Thus, there is an urgent need for incorporation of a provision in the Act on lines similar to section 95 of the Indian Penal Code, 1860, which excludes “acts causing slight harm” from being offences under the Act.
Keeping in view the seriousness of the matter, it is recommended that appropriate amendments may be made in the Gambling Prevention Act to address online gambling.
Stamp duty for filing application before the Adjudicating Officer
Therefore, the stipulation that any fees have to be paid to file an application before an adjudicating officer is completely ultra vires the Act. It may be mentioned that any provision, unless specifically stated under a statute, need not be complied with and hence the proviso to make any payment as fees towards the application vide the rule, as mentioned above, would not be legally valid.
Thus, it is recommended that the said notification relating to payment of fees for filing of application be rendered inoperable.
Issues relating to computer based crimes
- Tampering with computer source codeSection 65 of the Act provides for punishment of tampering with source code of a computer program. However, the wordings of section 65 are ambiguous and vague. The section applies to computer source codes “which are required to be kept or maintained by law for the time being in force...”. In the absence of any clarification as to which programs “are required to be kept or maintained by law”, the application of the provision to an act involving tampering or concealing computer source documents is doubtful. Thus, it is recommended that section 65 be reworded to remove the ambiguity existing in the section.
- Creation of harmful programsViruses, worms and other malicious programs cause losses amounting to millions of rupees every year. Disseminating a computer virus or any other kind of malicious computer program has become very easy with the advent of the Internet. Accordingly, hundreds of malicious computer programs are released everyday and spread rapidly through the use of the Internet. In the absence of any penal provision to punish the creator of a malicious computer program, such activities are rampant and these situations adversely affect computer users across the world.
Though section 66 of the Act provides punishment for damaging, deleting, or altering information in a computer resource i.e. under the provisions of Hacking, it does not penalize the creator of a harmful program, whose acts can result in hacking. A careful analysis of section 66 also reveals that the section is applicable to “information stored in a computer resource”. These wordings therefore make the provision inapplicable to data in transit.
Thus it is recommended that section 66 of the Act be suitably amended to penalize the creator of a harmful or malicious computer program and to make it applicable to data that is in transit.
- Encrypted communicationCryptography is proving to be a deadly tool in the hand of terrorists and criminals. Disturbing trends are emerging where criminals and terrorists have been using encrypted communication to co-ordinate and execute their nefarious activities.
Section 69 of the Act penalizes a person in charge of a computer resource who fails to assist an investigating agency directed by the Controller to intercept information and decrypt encrypted communication from that computer resource.
However, section 69 is narrow in its scope as it is applicable only for cases specified therein. Also, a written order from the Controller authorizing such interception or decryption is a key ingredient of that section.
Considering the present situation where emails and the Internet are fast becoming the primary means of communication, it is recommended that the scope of section 69 be widened. The enhancement should be in a manner, which would make it possible to apply section 69 for matters other than those cited. Additionally, the requirement for the Controller’s authorization to be recorded in writing should be eradicated. Instead, such an order should be given by any competent authority appointed or notified by the Appropriate Government to the investigating agency for interception of information and decryption of data.
Section 70 of the Act provides for enhanced punishment for accessing or attempting to access computer systems, which are declared as “protected” computer systems under the said section. However, the procedure for declaring such computer systems as protected as laid down under section 70 is cumbersome and lengthy. There is a need to simplify the procedure required for declaring a computer system as being protected under section 70.
Keeping the Singapore model in mind it is advisable and recommended that section 70 of the Act should be suitably amended to include several types of sensitive systems and therefore avoid the cumbersome procedure that is enumerated in the present section. It is therefore recommended that instead of specifically requiring the appropriate government to declare a computer system as being protected by notification, it would be appropriate to specify the category of “protected computer systems” in the Act itself.
Issues relating to Extraterritorial jurisdiction
A careful reading of section 75 reveals that such extraterritoriality is applicable only to offences under the Act. It is significant to note here that a class of cyber crimes is also defined under the Indian Penal Code, 1860 due to the amendments made to the latter by the Act. As per section 75, those crimes would be excluded from the purview of extraterritoriality that exists for offences under the Information Technology Act 2000.
Thus, it is recommended that section 75 of the Act be amended to confer extraterritorial jurisdiction for offences committed and penalized under other statutes.
Admissibility of electronic records
However, the provisions of section 65B (2), which need to be fulfilled for making electronic records admissible in a court of law are unclear and vague. The said provisions throw no light upon how to fulfill the conditions mentioned therein. In the absence of any clarity, it is doubtful as to the procedure to be followed to make electronic records admissible in a court of law under section 65B (2).
Thus, it is recommended that section 65B (2) of the Indian Evidence Act, 1872 be simplified by way of amendment to render it clear and unambiguous.
Investigation of offences
Thus, it is recommended that sections 78 and 80 of the Act be amended to allow for investigation of offences registered under the Act by a police officer irrespective of his rank. This will lessen the burden on the shoulders of a high-ranked police officer for investigating each and every crime under the Act and at the same time allow for adequately addressing the grievances of an affected party at a much faster pace.
Liabilities of Internet Service Providers
It is also worth mentioning that Network Service Providers can be classified into distinct categories, e.g., Internet Service Providers and application Service Providers according to the nature of service provided by them. Under such circumstances, the rights and liabilities of various classes of Network Service Providers should be clearly spelt out by virtue of provisions under the Act.
Although, section 79 of the Act tries to address the liability of a Network Service Provider, it does not clearly spell out or lay down their rights and liabilities. This may create apprehensions in the mind of organizations wanting to invest in such businesses.
Thus, it is recommended that additional provisions be included in the Act under chapter XII to clearly address the rights and liabilities of Network Service Providers so as to give impetus for investment in these areas.
Section 82 of the Act has declared certain class of authorities appointed under the Act as public servants. However, adjudicating officers and members of the Cyber Appellate Regulations Tribunal have been left out of the purview of section 82.
Thus, it is recommended that section 82 be amended to bring adjudicating officers and members of the Cyber Appellate Regulations Tribunal within the definition and meaning of Public Servants so that they also assume the duties and obligations of a public servant.
Issues relating to removal of difficulties
However, the Act has been in force since 2000 hence there is no requirement for section 86 which provides for removal of difficulties by orders of the Central Government within two years of commencement of the Act.
Thus, it is recommended that section 86 be repealed in light of its redundancy.
Insertion and deletion of certain definitions
It is also recommended that the definition of “security procedure” vide section 2(zf) of the Act should be removed since the term is redundant considering recommendation 5.