The passage of the Information Technology Act in Parliament is a step forward, but the Act appears to have been drafted without adequate legal and technical inputs and hence lacks clarity on many aspects.
R. RAMACHANDRANTHE Information Technology Bill, which was introduced in Parliament in November 1999, was passed on May 15 after incorporating some amendments suggested by the Parliamentary Standing Committee on Science and Technology and Environment and Forests in its report on the Bill. The report was tabled in the House on May 12. The IT Act, however, does not cover all aspects of information technology; it leaves out important areas such as Intellectual Property Rights (IPRs), specifically in respect of Internet-re lated activities.
The original title of the Bill, when it was first mooted in 1998, was the E-Commerce Bill but was subsequently changed in a haphazard attempt to include clauses relating to cyber crime. In effect, the Act basically provides a legal framework for electron ic commerce, broadly defined as all transactions - business accounts form the largest share of these - conducted through computers and transmitted over computer networks globally through the Internet, and for dealing with IT-related offences, such as hac king or unauthorised access to computer networks and introducing viruses.
The Act contains some contentious provisions - such as Clause 79, which has been widely criticised as being "draconian". Some provisions recommended by the Parliamentary Committee had been rejected by the Union government - particularly Clause 73 relatin g to cyber cafes maintaining a registry of persons and Web sites logged into. The Bill has been passed in some undue haste, for reasons not very clear. In this regard, the points raised by the Opposition are valid because the Act lacks clarity in many re spects, and seems to have been drafted without adequate legal and, more important, technical inputs.
It must be emphasised that the optimistic projections by organisations such as NASSCOM (the National Association for Software and Service Companies), that the Act would boost the volume of e-commerce in India from the current Rs.450 crores to over Rs.2,5 00 crores and to Rs.10,000 crores by 2002, are quite misplaced. First, in the Indian context, much of the e-commerce involves neither business-to-client (B2C) transactions nor business-to-business (B2B) transactions but largely revenue from advertising o n the Web. Therefore, it becomes difficult to term precisely what e-commerce is and to quantify its value. Secondly, the Act itself is not going to alter greatly the situation because, for one, as legal experts point out, even in the absence of the Act t he judiciary would not have dismissed an evidence just because it is in the nature of an e-mail or an electronic document. It would have been treated as circumstantial evidence to the case at hand, and the provisions in the Indian Penal Code and the Crim inal Procedure Code have sufficient interpretative room to provide for prosecution if such evidence is conclusive.
For instance, only days before the Bill was passed, a popular Indian portal was charged by the Delhi Police with hosting "pornographic or obscene" material on its site. The police simply downloaded material from the various URLs (unique resource locaters ) of the said portal to serve as evidence. The new Act, however, does not provide any new interpretation as to what is considered "pornographic or obscene" in the Indian legal system.
The component of e-commerce that the Act will aid is financial transactions over the Web, particularly of banks and so on, which is not going to happen overnight but slowly over time. Even before the Act was enacted, documents were being exchanged and co ntracts concluded using the already available encryption software. Similar was the case of transmission of messages and documents based on passwords and e-mail identities.
There have been no e-commerce related cases in the Indian context so far. The only Internet-related cases that seem to have come involve trademarks; that is, some one naming a Web site or a portal with a name sounding or spelt very much like existing pop ular portals. These cases have been dealt with effectively by the Indian judiciary, and complainants have won their cases. This is a form of "squatting", by which a domain name is occupied to exploit the popularity of the name/identity of a certain entit y or person. The Parliamentary Committee had recommended the inclusion of a specific clause to deal with squatting. However, this does not seem to have been incorporated in the final Act. While the reasons for this are not known - and it is an instance o f insufficient thought being given to the draft - the absence of the Act itself had not prevented the judiciary from acting on available electronic evidence earlier. This is, of course, not to say that such a legislation is not required. In fact, it is i mperative, and hence a lot more thought should have been given to it than is evident.
As stated in the preamble to the Act, it is based on the Model Law of Electronic Commerce adopted by the United Nations Commission on International Trade Law (UNCITRAL) on January 30, 1997. Indeed, the Indian IT Act, sets out very well; its first 17 clau ses have been adopted straight from the UNCITRAL Model Law. If it had gone the whole hog, with suitable adaptations for the Indian context, it would have been a good e-commerce bill, legal experts point out. It is not clear why the latter provisions of U NCITRAL were dropped. They were dropped perhaps to include other aspects of IT, namely cyber crime. But the crime aspect ought to have been drafted with a lot more care. As it stands, the Act is designed to deal exclusively with hacking and introduction of computer virus. The recent instance of the "I Love You" bug may have given added impetus to the passing of the Bill as a knee-jerk reaction. Indeed, the "I Love You" case itself is a pointer that the existing law, coupled with the technology to track down the path of an e-mail message, is sufficient to trace such crimes even globally.
AT a workshop on the IT Bill held in December 1999 at the National Institute of Advanced Studies (NIAS), Bangalore, representatives of the Karnataka Police pointed out, on the basis of their experiences, that the Bill was inadequate to address some of th e IT-related crimes. They cited a long list of such crimes, which included extortion and blackmail over the Net, cyber stalking of celebrities and also new types of crimes ranging from threats to murder. Such experiences certainly highlight the need to g ive a broader legal framework to tackle cyber crime than has been provided in the Act.
The workshop, in fact, had pointed out that nowhere in the world had an attempt been made to pass one comprehensive legislation to tackle all aspects of IT as the Indian Bill proposed to do. The workshop, which brought together scientists, computer profe ssionals, legal experts (including a judge of the Karnataka High Court), crime investigators of the Karnataka Police and so on, had recommended that instead of one piece of legislation, several laws be passed to deal in detail with each aspect of IT. It recommended that the draft IT Bill of November 1999 be pruned to include only a set of laws relating to the regulation of e-commerce, and that further laws be evolved to deal with cyber crimes, IPRs, jurisdiction and other issues.
Even within the limited framework of e-commerce, the Act, besides being over-regulatory (largely because it follows, in this respect, the Act in Singapore, a highly regulated state) falls far short of what IT trends would demand. The Act contains detaile d provisions on the use of "digital signatures". Digital signatures, as the term implies, are akin to signatures of paper-based transactions and documents, and are required to identify the sender and authenticate the document being electronically transmi tted. The concept of digital signature is built on the technology of secured transmission of electronic documents over computer networks. In order to maintain confidentiality of communication, the data sent should be "coded or encrypted" so that only the sender or the person equipped with the know-how to decode or de-encrypt the message can read the data. This technology of cryptography is the basis of digital signature.
However, the Act does not take cognisance of the fact that technology in the area of digital signatures is not static. Experts point out that the "asymmetric crypto system", with its underlying basis of a "private key" and a "public key" and the use of c omputer algorithms such as "hash function" as the only means to which the Act bestows legal sanction, is already entering a phase of obsolescence. In a few years it would be overtaken by other technologies. Pointing out that this would be counterproducti ve given the short life-time of Internet technologies, the workshop had recommended that such definitions be made technology neutral. For instance, this dual-key encryption adopted in the Act is already giving way to the concept of "signature matrix" or "chaos cryptography". This identifies the key cryptographic elements in the signature and uses it in encryption. The Californian law, for example, provides a list of accepted technologies for encryption and digital signatures, which have to be revised co nstantly as the law itself is technology neutral. As of now, the Californian law permits these two technologies. Computer professionals and legal experts point out that the Indian IT Act would have a longer shelf life if it follows this model. Given this , the Act, however, does not specify the penalty in case "digital signatures" are not appended in the particular manner dictated by the Act.
Secondly, it is felt that the concept of the Certifying Authorities (which will be some software agencies) and the Controller who would license them for certifying digital signatures - in what form or medium this certificate is supposed to be is not clea r though the wording seems to suggest that it would be a piece of paper, which would be contradictory to the entirely paperless transactions being envisaged in the universe of e-commerce - is over-regulatory. Computer specialists point out that encryptio n technologies that are now available or can be easily developed do not require such regulatory provisions, and in case of disputes can be independently verified at the technology level. Foreign banks in the country are using such techniques. Also, there are global certifying agencies, with much better credentials at authentication (who do not authenticate the digital signatures but unambiguously authenticate the e-mail identity), which are currently being used for transactions in India. The IT Act - in this respect, the law recalls the animal experimentation regulations - would require foreign agencies to register with Indian authorities. What is needed is, therefore, only a controller who is not a bureaucrat as the provisions of the Act seem to sugge st but a computer professional with expertise in encryption technologies who can keep track of technology trends and corresponding changes in law enforcement.
The Act has failed to adopt all elements pertaining to e-commerce from the UNCITRAL Model Law. One such important element is the "attribution of electronic records". The Act does not have any provision to regulate the manner in which electronic records m ay be attributed. All the provisions in the UNCITRAL Law should have been included in the Act so as to take care of this aspect. According to computer experts an important component of UNCITRAL Law that is missing in the Indian Act is the concept of "tim e stamping". This concept is important in determining the time a particular transaction took place, because in cyberspace or over the Internet there is no unique clock by which one can fix the time of an e-mail message. A message sent an hour before a ce rtain event as per Greenwich Mean Time (GMT) can be claimed to have been sent an hour after by the recipient, for example. Indeed, a portal is now being set up by an international organisation for time stamping of transactions and messages to serve as a global agency for e-commerce operations. This can be done in India under a suitable framework and an accepted protocol.
There are a host of other shortcomings with regard to legal recognition of electronic records which need modification and revision. Significantly there is no legal recognition of electronic document per se. Only when there is a requirement as per other laws to provide information in a certain manner in written or typewritten format, is a corresponding electronic form given legal recognition. The Act does not provide for legal recognition of all types of electronic documents. Such a provision will also give legality to "digital signatures", thus obviating the need for an over-regulatory regime of rules and Certifying Authorities.
While the Act provides for the concept of an "electronic gazette", it has not laid down any security procedures for the publication of the gazette. It has been treated on a par with the paper version, without taking into consideration the potential risk of an electronic gazette being tampered by hackers.
The Act speaks of a secure electronic transaction only in the context of electronic records to which government-prescribed security procedures are applied. This is over-regulatory in the sense that it does not have provisions for legal sanction to differ ent security procedures (this will cover digital signatures by other technologies as well) adopted for private transactions.
The need for expertise in Internet technologies at the regulatory level needs to be underscored also in the context of the Cyber Regulations Tribunal. Experts say that even to understand the technical issues involved, the tribunals should have cells with legal and scientific expertise to assist the adjucating officers. Also, given the nature of the speed of e-commerce operations and technologies, a time limit on settling disputes is required.
The suggestions of the Parliamentary Committee to make amendments in the Clause 73 - such as making it mandatory for cyber cafes and kiosks (which account for a major share of Internet use in India) to keep a log of all users and the Web sites accessed b y them and making them liable to be criminally charged if they fail to do so - were dropped, to the industry's delight. While, in principle, it is possible to keep a record the history of use of every computer, the sheer volume of traffic and the URLs ac cessed will be so huge that it will be physically impossible to monitor these. To address concerns regarding intrusion, a combination of high-level encryption as well as the use of technology to trace the source of the crime with the help of experts in t he field should be adopted. This is possible; for instance, hackers who broke into the sites of the Indian Defence and Information Technology Ministries were tracked by these methods. While a Pakistani hacker group operating from a portal in Taiwan intru ded into the Defence Ministry site, a hackers' club of Pakistanis operating from the United States broke into the IT Ministry's site.
Clause 79 is a contentious provision. It gives extraordinary powers to police officials of the rank of Deputy Superintendent of Police (DSP) and above to search a premise without a warrant for incriminating evidence on suspicion. This has been widely cal led "draconian". While there is certainly a fear of misuse of this provision, legal experts believe that such sweeping powers are part of practically all laws dealing with crime in the country, not just those dealing with terrorism or narcotics trade. Th ey point out that, unlike in other cases, the obliteration of evidence in the electronic form is too quick to be detected, and the police would hesitate to take such action. This argument is based on the fact that such occurrences in respect of other Act s, where searches of this nature are allowed, have been very rare. What they emphasise is the need to have a trained workforce in the police, which understands the technology, and exercises its powers with discretion. Instead of a horizontally designated authority, a vertically designated authority, depending upon their training, should be deployed to tackle this issue, they point out. In this sense, the suggestion by the Parliamentary Committee to appoint a police task force to tackle cyber crimes is i n the right direction, they say.
The passage of the IT Act is a step forward but it has been done in a hurry. It has to be amended sooner or later. But in the process, the country should not move two steps backward.