Regulating the Net

Print edition : August 10, 2012

A useful compilation of material that gives both Indian and international perspectives on a wide range of issues relating to cyberspace.

A striking phenomenon of current times is the nearly unbridled growth of cyberspace with its attendant problems, chiefly cyberterrorism and cybercrime. Although India is an information technology (IT) savvy nation, its per capita computer penetration is just modest. This, however, is deceptive because the impact of the computer on daily life in India is otherwise pervasive if one takes into account the mind-boggling growth of cellphones alone. Mobile phones have some software or the other written into them and are, therefore, ready targets for cyber attacks. Forty to 50 per cent of the Indian population of more than 1.2 billion commands at least one mobile phone.

The number of those who have more than one phone is galloping. China has done even better. Many other countries too are marching ahead with rapid computerisation of both the office and the domestic environment. Legislators across the globe have therefore thought it necessary to protect lawful and well-meaning visitors to cyberspace from the dishonest depredator who intends to defraud or otherwise harm them. Cyberspace security depends not only on the disciplined use of the individual computer it also demands the creation of a well-defined set of rules that has a firm legal backing and is enough of a deterrent to potential offenders. This is the background to the genesis of cyber law, which has without doubt become a distinct discipline that helps serious study and research.

The contours of the law are expanding fast in view of the imperative need to provide for various scenarios, some of which may seem theoretical and bizarre at this moment but may not remain so as computerisation gains further territory. For example, there is a need to take into account the emergence of concepts such as cloud computing and the arrival of devices such as the iPad, whose designers, incidentally, do not seem to have set much store by the need to keep information secure. As a result, cyber law has gone quite far in its reach. It is also complex in its construction and interpretation. Major cities in India now have a new breed of lawyers, that is, cyber lawyers, many of whom have a roaring practice. This is a welcome development, especially in the context of the enormous increase in civil litigation relating to online transactions and the escalation in cybercrime.

Modern laws relating to crime and property are dynamic and responsive to new needs. Similarly, computer law is constantly engaged in the task of managing and providing legal cognisance to new situations crying out for legal solutions. This has reduced itself to a fascinating engagement between those who want to break into cyberspace without authority and those who are determined to prevent such entry. My own estimate is that the battle will never be won. That is, however, no case for giving up the sacred duty of strengthening the borderless domain of the average law-abiding computer user against the dangerous terrorist and the less harmful adventurer who looks only for some fun and entertainment by intruding on the privacy of others.

Aparna Viswanathan, a Harvard University and University of Michigan Law School product, has brought out a useful compilation of recent material that gives both Indian and international perspectives on a wide range of issues that should concern all those who access cyberspace for either professional or private needs.

The territory covered by the book is vast, and if Aparna Viswanathan gives the impression of being cursory in some places, it is not her fault. Each of the intricate areas that she handles data security, e-commerce, cloud computing, cybercrime, and so on merits a volume by itself because of the dynamics involved and the consequent complexity of various statutes on the subject. Also, the target audience is in India, where concepts such as data protection and cloud computing are finding slow recognition. Considering that this must have been a difficult book to write, Aparna Viswanathan impresses one with her choice of issues and simple style of communication, which should go down well even with the uninitiated reader.

At the launch of the "Just Delete them" police campaign against cybercrime in Hyderabad in May 2009, the city's Police Commissioner at that time, B. Prasada Rao, pasting posters at an Internet centre.-MOHAMMED YOUSUF

In my view, the primary concern of cyber law should be to protect the privacy of organisations and individuals when they traverse cyberspace. It should also fuse deterrence into the statute books by clearly defining offences and laying down stiff penalties for those who transgress for personal gain or to wreak vengeance on their adversaries.

By this token, Indias Information Technology Act, 2000, was initially soft towards miscreants. It was kind even to those who hacked into computer systems. This offence entailed only a monetary fine. In the more than 10 years it has been in existence, thanks to mounting pressure from experts, there has been a discernible shift in the tenor of the Act towards greater severity. Amendments to it in 2009 gave the authorities more teeth to haul up offenders and get them punished. Supplementing Section 43 of the Act, which had referred only to penalties and compensation for damage to computers and computer systems, the 2009 amendment penalised unauthorised access to individual machines, systems or networks. Section 66 is the penal section that now prescribes punishments (three years of imprisonment or a fine of Rs.5 lakh or both) for the acts listed under Section 43 (including destruction, deletion or alteration of information).

There are hawks who believe that the quantum of punishment is still too low to deter the hardened or influential intruder. This criticism does not take into account changes such as the new Section 66F, which for the first time refers to cyberterrorism and makes it possible for someone found guilty of that crime to be sentenced to life imprisonment. Aparna Viswanathan gives statistics and cites recent case law, both of which are useful and revealing. References to the European Convention on Cybercrime, 2004, the United Kingdoms Computer Misuse Act, 1990, and the United States Computer Fraud and Abuse, Act, 1986, are illustrative of how the Indian statute can benefit from the perceptions on the subject of developed nations.

There is a separate chapter on the intricate subject of encryption, which is a tool for protecting the sensitive data that pass through computer systems. Electronic signature, an allied subject, also receives substantial attention. Aparna Viswanathan discusses in detail the Blackberry case, which provoked an animated discussion in India last year. It reflected on the difficulty of blending the privacy of organisations and individuals with the need for security agencies to know all that is passing through networks. Research In Motion Limited (RIM), the Canadian corporation that runs Blackberry services, had initially taken the obdurate stand that it would not share client information passing through its systems with the Indian government, but the compromise ultimately reached highlighted the fact that privacy of information cannot be absolute and that national security requirements reign supreme. It is for this reason that the monitoring of telephones and electronic mail becomes acceptable although the practice is highly vulnerable to misuse by the establishment.

Indias apparent indifference to the needs of data protection had made many foreign companies reluctant to do business with Indian corporations. IT companies had particularly suffered from this lacuna and consequently lost a considerable amount of business. After a lot of clamour over this for more than a decade, India recognised, in the IT Act itself instead of opting for separate legislation as many countries did, data protection negligence that causes wrongful loss or wrongful gain to any person as a crime. Such failure may take the form of negligence in implementing and maintaining reasonable security practices.

Section 43A (ii) defines reasonable security practices as clearly as possible. The chapter in Aparna Viswanathans book that deals with this is brilliantly conceived and is a storehouse of relevant information. A perspective on how this problem, and many others impinging on the health of cyberspace, is handled in other countries is the strength of this book. It could well serve as a textbook for those who aspire for a career in IT.

This article is closed for comments.
Please Email the Editor