[India] Information Technology Act: Danger of Violation of Civil Rights by Sruti Chaganti

Source: The Economic and Political Weekly [Bombay, India] August 23, 2003

[India] Information Technology Act: Danger of Violation of Civil Rights

The Information Technology Act raises very real concerns. It demonstrates a legislature deeply sceptical of the internet, rooted in the conventions of the past, yet battling with the need for an information technology law in the present-day circumstances. This straddling of the known and the unknown has strange results. In its desperate need to bring in some security for activity on the net, it relies heavily on the executive, little realising that it can result in violation of civil rights particularly, in the light of India's infamous emergency. The absolute control it attempts to achieve over certifying authorities is worrying for the same reason. The act lacks balance.

by Sruti Chaganti

I

Introduction

When I say the brain is a machine, it is meant not as an insult to the mind but as an acknowledgment of the potential of a machine. I do not believe that a human mind is less than what we imagine it to be, but rather that a machine can be much, much more.1

- W Daniel Hillis

The Pattern on the Stone

From Charles Babbage's first computer far back in the 1800s to the military network of 40 computers in the US connected by links and lines in 1969 called the Advanced Research Projects Agency Network (ARPANET) to the internet as we know it today, a world wide web that links the globe through 50 million nodes, a network of 233.3 million computers and a user group of 163 million individuals/entities,2 technology and therefore life has progressed into a world which seeks to obliterate barriers of economy, polity, society and administration.

When Prannoy Roy gaped at Sabeer Bhatia's description of his life on the net3 from business through entertainment to shopping for fresh vegetables, I agreed with Roy. But today the net has indeed overtaken conventional living. Business on the net is easy and with the variety of services offered it is of little wonder that people are increasingly turning to the net for everyday living. The future lies there - in a network of computers spanning the globe.

It becomes imperative then that government services are also delivered online. This could prove to be a blessing for the net entails transparency and accessibility of information: the lifeblood of any democracy. Corruption and red tapism, the greatest evils of modern governments can be thwarted fairly successfully. And for ordinary users - if they can buy vegetables and pay their bank dues on the net shouldn't they also be able to pay their electricity bills and apply for is licences online?

If e-governance and e-commerce are to be viable options, electronic records and digital signatures must gain legal validity. If the courts of law refuse to enforce a contract or validate a licence, entered into or obtained on the net, the growth potential of the internet will be severely retarded.

And yet the internet is not all goodness and opportunity. The World Wide Web is the playground of a new sort of criminal - one who revels in the anonymity offered by a network of millions of computers and whose apprehension legal systems across the world are battling with rather unsuccessfully. The internet challenges every single convention and belief that traditional legal systems are based upon. Benjamin Wittes is said to have remarked:

Suppose you wanted to witness the birth and development of a legal system. You would need a large complex system that lies outside of all other legal authorities. Moreover, you would need that system somehow to accelerate the seemingly millennial progress of legal development, so you would witness more than a moment of progress. The hypothetical system might seem like a social scientist's fantasy, but it actually exists. It's called the Internet.4

It is to enable online governance and to grant legal recognition to electronic records and digital signatures that the Information Technology Act was passed. The act attempts to regulate life on the net and counteract known dangers to security and privacy of information. In doing so, it has set up a regulatory mechanism that is distinguished by the stranglehold the central government has been granted on all matters pertaining. The act has been the subject of severe criticism for the extent of executive discretion, immunity for executive actions, disproportionate penalties and the introduction of a system so tedious and complex that it is bound to hamper the progress of life on the net for Indians. Worse still is the extensive power granted to the state to impinge on the privacy of netizens.

This paper examines the feasibility of e-governance in light of the provisions of the act and the very real dangers in following through with it. An analysis is made in light of the UNCITRAL model provisions, the insecurity of the net and the existing legal system. The emphasis is on administrative functioning or malfunctioning and its impact on the fulfilment of the intentions of the act.

II

E-Governance

The Preamble of the Information Technology Act, in one of its clauses, reads:

and WHEREAS it is considered necessary to give effect to the said resolution and to promote efficient delivery of governance services by means of reliable electronic records; be it enacted by the Parliament in the fifty-first year of the Republic of India as follows...

The United Nations Commission on International Trade Law adopted the model law on electronic commerce which was then adopted by the General Assembly in a resolution5 that requires the states to give favourable consideration to the model law when enacting or revising their laws of similar import. India accordingly enacted the ITA 2000 keeping in view the provisions of the UNCITRAL model law.

Section 4 of the Information Technology Act titled 'Legal Recognition of Electronic Records' lays down that where any law requires that any information/matter shall be in writing/ type-written/printed form, then notwithstanding anything contained in such law, such requirement shall be deemed to have been satisfied if such information or matter is (a) Rendered or made available in electronic form; and (b) Accessible so as to be usable for subsequent reference.

The one section combines the import of both articles 5 and 6 of the UNCITRAL Model Law.6 There is no provision in the ITA however which corresponds to paragraph 3 of article 6 of the said Model which allows an enacting state to exclude certain specified situations from the application of the functional equivalence doctrine where an enacting state does not wish to establish such a complete equivalence as in the case of cheques, wills, negotiable instruments, etc.7 However if such a provision might have been redundant in the light of section 9 which lays down that nothing contained in sections 6,7 and 8 confer any right upon any person to insist that any ministry or department of the central government or state government or any other authority/body established by/under law or controlled/funded by the central/state government should accept/issue/create/retain/preserve any document in the form of electronic records or effect any monetary transaction in the electronic form.

Section 5:8'Legal Recognition of Digital Signatures' lays down that where any law requires that information/other matter should be authenticated by signature, then notwithstanding anything contained in such law, the requirement will be deemed to have been fulfilled if authenticated by means of a digital signature affixed in the manner prescribed by the central government.

Section 16 lays down that the central government prescribed the security procedure having regard to commercial circumstances prevailing at the time when the procedure was used including: (a) the nature of the transaction; (b) the level of sophistication of the parties with reference to their technological capacity; (c) the volume of similar transactions engaged in by other parties; (d) the availability of alternatives offered to but rejected by any other party; (e) the cost of alternative procedures; and (f) the procedures in general used for similar types of transactions or communications.

However section 15 lays down that if by application of a security procedure agreed to by the parties concerned it can be verified that a digital signature, at the time it was affixed, was: (a) unique to the subscriber affixing it; (b) capable of identifying such subscriber; and (c) created in a manner or using a means under the exclusive control of the subscribed and is linked to the electronic record to which it relates in such a manner that if the electronic record was altered, the digital signature would be invalidated, then such signature shall be deemed to be a secure digital signature.

While the tenor of section 16 is that the security requirements of a signature will be determined by central government rules, the inference of section 15 is that private parties also can work out their own security procedures. Yet the tone and tenor of the entire act and the rules does not bear out the latter inference. Is this a contradiction in terms? Or, is there a plausible interpretation?

Section 6 of the ITA lays down the foundation of electronic governance. By sub-section (1) it allows for the filing of any form, application or other documents, creation, retention or preservation of records issue a grant of any licence or permit or receipt or payment in government offices and its agencies may be done through the means of electronic form.

Sub-section (2) provides for the making of rules by the appropriate government to prescribe: (a) the manner and format in which such electronic records shall be filed, created or issued; (b) the manner or method payment of any fee or charges for filing, creation or issue any electronic record under clause (a). This legislation is particularly useful because it allows for such online filing without piecemeal amendments having to be made to different acts. Section 9, which has already been discussed, allows for this to happen on an "opt-in" basis so that those agencies which are not yet ready to go "paperless" are not compelled to do so. But whether such a blanket exemption should have been granted instead of an adequate timeframe is debatable.

Section 79 deals with the 'Retention of Electronic Records'. Sub-section (1) lays down that where the law requires certain documents, records or information be retained, that requirement is met by retaining data messages, providing certain conditions are satisfied: (a) the information contained therein is accessible so as to be usable for subsequent reference; (b) the data message is retained in the format in which it was generated sent or received, in a format which can be demonstrated to represent accurately the information generated, sent or received; and (c) such information, if any, is retained as enables the identification of the original and destination of data message and the date and time when it was sent or received.

The proviso to the sub-section reads: An obligation to retain documents, records or information in accordance with sub-section (1) does not extend to any information the sole purpose of which is to enable the message to be sent or received. Sub-section (2) lays down that nothing in the section shall apply to any law that expressly provides for the retention of documents, records or information in the form of electronic records.

Section 8 of the ITA provides for the publication of an Electronic Gazette with a proviso which states that where any rule/regulation/order/by-law/notification/any other matter is published in the official Gazette or in the Electronic Gazette, the date of publication shall be deemed to be the date of that official Gazette which was first published in any form.

Section 10 gives the central government the power to make rules so as to prescribe (a) the type of digital signature; (b) the manner and format in which the digital signature shall be affixed; (c) the manner or procedure which facilitates identification of the person affixing the digital signature; (d) control processes and procedures to ensure adequate integrity, security and confidentiality of electronic records or payments, and (e) any other matter which is necessary to give legal effect to digital signatures.

While the ITA 2000 has gone along with the UNCITRAL model provisions a good distance, it has made subtle but significant changes which leads one to question whether the act succeeds in what it sets out to do. Section 9 is a major drawback as it leaves a large amount of discretion in the hands of the government as to whether or not to go online. While it is a fact that the government needs time to break conventions over a hundred years old and to train employees to catch up with modern technology, the absence of any kind of time frame can seriously hamper e-governance becoming a feasible option in the near future.

III

Electronic Records and Digital Signatures

Section 3(18) of the General Clauses Act, 1879 defines document as "any matter written, expressed or described upon any substance by means of letter, figure or marks, or by more than one of these means which is intended to be used, or which may be used for the purpose of recording that matter".10

Information on the computer is stored as bits and bytes, the electronic equivalent of zeros and ones. It is thus argued that these zeros and ones are expressions on the computer disc in the form of a figure or mark thereby classifying electronic records as documents under Indian law.11

Section 11 of the ITA lays down that an electronic record shall be attributed to the originator if it was sent (a) by the originator himself; (b) by a person who had the authority to act on behalf of the originator in respect of that electronic record; or (c) by an information system programmed by or on behalf of the originator to operate automatically.

The General Clauses Act does not define signature anywhere but explains 'sign' with its grammatical variations and cognate expressions, with reference to person, to mean affixing of his handwritten signature or any mark on any document. It is argued that if a person can introduce such information to any document so as to authenticate authorship, it will be construed as a signature whether written or printed and so digital signatures are also covered.12

Section 4 of the ITA provides for a subscriber to authenticate an electronic record by affixing his digital signature by the use of "asymmetric crypto system which envelop and transform the initial electronic record into another electronic record".

While the UNCITRAL model provisions have chosen to be technology neutral when it comes to methods of digital signatures, the ITA has made it clear that a digital signature has to be using the asymmetric crypto system.

'Cryptography' is derived from Greek words that mean "secret writing" and involves the process of encryption and decryption. Encryption is the process of transforming plain text into unintelligible form and decryption is the process of converting the unintelligible data back into the original plain text.13 Encryption can be used for two purposes: (1) Maintaining the confidentiality of the message; and (2) Affixing a digital signature.

In the former case the text itself is converted using an algorithm into cipher text so as to ensure that those who are not intended to read the message do not read it. The process used is called symmetric cryptography, or secret key cryptography. In this process the same key or algorithm that is used to encrypt also has to be used to decrypt.

Owing to the disadvantages of symmetric cryptography,14 the asymmetric crypto system came into place. The system envisages the use of two keys - a public key and a private key. The explanation to sub-section (2) to section 3 reads "For the purpose of this sub-section, 'hash function' means an algorithm mapping or translation of one sequence of bit into another, generally smaller set known as 'hash result' such that an electronic record yields the same hash result every time the algorithm is executed with the same electronic record as its input making it computationally infeasible (a) to derive or reconstitute the original record from the hash result produced by the algorithm; (b) that two electronic records can produce the same result using the algorithm."15

Thus to create a digital signature, the following would be involved:

(1) Section 2 (1) (zc) of the ITA defines a 'private key' as the key pair used to create a digital signature.

(2) Section 2(1) (zd) of the ITA defines a 'public key' as the key of a key pair used to verify a digital signature and which is listed in the digital signature.

(3) The information that has to be signed is delimited and is popularly known as the 'message'.

(4) On this message the hash function is applied which compresses the information in a digital form known as the 'hash result' or the 'message digest'. The hash function computes a result of standard length which is unique to the electronic record and in such a way that it is impossible to reconstruct the original data from the hash results and for two electronic records to produce the same result using the same function.

(5) The signatory uses his private key to encrypt the data and this is his digital signature.

(6) He appends the original message to the digital signature and sends it electronically to the addressee.

(7) The addressee decrypts the signature using his public key and recovers the message digest.

(8) He then applies the hash function on the plain text message attached and derives its hash result.

(9) He ompares the two message digests to ensure that there has been no tampering.

The public key and private key are large numbers of a string of data produced by using a series of formulae and are mathematically related to each other.16 The security and confidentiality of the private key are imperative for the system to be successful. Its major advantage lies in the fact that the public key can be made freely available by publication in a directory, online repository and even visiting cards without compromising the security of the private key provided the system is designed well enough to prevent hacking. Yet critics of this system find its security a severely debatable point.

IV

Insecurity of the Net

The UNCITRAL model law concentrates upon two basic functions of a signature to identify the author of a document and to confirm that the author approved the content of the document.

An electronic signature means any letters, characters, numbers or other symbols in digital form or attached to or logically associated with an electronic record, and executed or adopted with the intention of authenticating or approving the electronic record and is fundamentally different from a digital signature. A digital signature is an "electronic identifier that utilises an information security measure, most commonly cryptography, to ensure the integrity, authenticity and non-repudiation of the information to which it corresponds". 17 The information security measure mandated by the act is the asymmetric crypto system and hash function. Thus a digital signature serves three essential functions:

Data Integrity - indicates whether a file or message has been tampered with. Data Authentication - makes it possible to digitally (mathematically) verify the name of the person who signed the message. Non-repudiation - makes it impossible for the originator of the message to deny that it was either not sent or signed by another person.18

Despite this digital signature have run into problems and have been the subject of severe criticism by sceptics. Digital signatures have raised issues on the fronts of security, privacy and authenticity. Section 3 of the ITA Act is categorical when it comes to ensuring that only public key cryptography and hash function can be used to digitally sign documents. It is argued in favour of the provision that states can develop detailed regulatory schemes which in theory should provide for certainty and allow for infrastructure development. The fact that all of known systems, the asymmetric crypto system is hardest to crack made it the logical choice.

However, the argument against being technology specific is steadily building up. Limiting transactions to the said system can be harmful and self-destructive as it is in the process of being replaced by a more secure system. Further infant technology will either not be developed or gain a foothold in the market. The more horrifying possibility is that the legal system will be tied to an insecure system. The most ignored disadvantage however is that adopting an exclusive technology opens the door wide to more successful breaches of that technology.19 Cryptography is based on algorithms which are complex mathematical puzzles and it can be broken simply by solving the puzzle. While a simple one takes very little time, a more complex one just takes longer. The safety of cryptography is based on the complexity of the mathematical puzzle. When there is only one technology, efforts to break it can be that much more dedicated and concentrated. The use of computers makes it easier. The computer is simply allowed to test each mathematical possibility until the algorithm or mathematical solution is found. This method is called a 'brute force attack'. The strength of the algorithm, it can be then said, depends on the time taken to test each mathematical possibility - greater the number of possibilities, greater the time taken. The law of averages then dictates that the solution can be found after only 50 per cent of the possibilities have been tested.20

Thus an argument is mooted in favour of a technology neutral approach on the grounds that it offers more flexibility and security. Further considering that legislators are not in a position to predict the future with cryptographic advancements or legal developments, they should just keep away from prescribing any one technology. And yet is this approach without its problems? A critique of the American law finds exactly this neutrality problematic. "The new law says nothing about technology. Any number of companies will say their digital signature technology is the safest and the best. We'll likely discover who is right through trial and error. In the meantime, the details of e-signatures and electronic contracts will almost certainly end up back in court."21

Digital signatures are prone to 'spoofing' where a bogus public key is created that purports to be that of a particular person when it really is not. It is to address this risk that certification authorities are envisaged to certify that the public key is that of a particular person.

In the creation of these certification authorities, the act has run the severe risk of compromising the privacy for individuals online. Alan F Westen defines privacy as: "the desire of people to choose freely under what circumstances and to what extent they will expose themselves, their attitude and their behaviour to others".22 The ITA has made it clear that a digital signature will be valid only if it is obtained under the provisions of the act. This means that they will be forced to establish their identities with one or more certification authorities under the act. This is intrusive because it requires people to expose data about themselves that they may wish to keep private particularly when it is not necessary that they reveal such information. Three pressures have been identified that make the necessity felt for collecting identification information: (1) the Technological imperative - "it can be done, so it should be done" (2) the Marketing imperative - "the more the marketers know about consumers, the more efficient marketing communications will be, and the better informed the consumer is"

(3) the Social Control imperative - "the public is not to be trusted, and data about their behaviour is essential in order to deter non-compliance and detect and prosecute offenders".23

The approach that establishing standards will counteract the evils of taking personal information, as in the case of Australia, for instance,24 does not remove the main issue. Rule 33 of the Certifying Authorities rules, for instance, states that such information as is not revealed on the digital signature certificate shall be kept confidential. But the fact is that the chances of that information indeed remaining private are slim when one takes into account the functioning of our bureaucracy.

One might wonder what the hue and cry about privacy is. Just as one fills in thousands of documents in government offices, this is just another one of those. Further our constitution does not expressly grant us the right to privacy - it has been impliedly read in. But the essential fact is that we are dealing with here is the internet. The positive resource that one creates for secondary use though such information being revealed to all and sundry is mind-boggling. The digital signature certificate is a public document - it would defeat the purpose otherwise. They can be published in online repositories. With dotcom sites stealing information and selling it unauthorisedly, the risks of impersonation become manifold.25 "A digital signature stands for a human in cyberspace ... yet it can be used by others."26

Section 39 of the ITA makes it mandatory to publish a notice of suspension or revocation of a certificate in an online repository. Section 38 allows for the revocation of a certificate on request of the subscriber or any person authorised by him. This creates its own set of problems. What if the repository is manipulated by someone? What if an impersonator makes a request? A digital signature is likened to a passport.27 If once a person's details appear in the online repository without any fault of his, his credibility is lost. And if someone impersonating the subscriber has the certificate revoked and the new one issued, the consequences are too horrifying to think of.

Generating a key pair is not inexpensive. How then is the ordinary user of governmental services supposed to procure one?

Expense apart, for the success of the system of digital signatures it is essential to maintain confidentiality of the private key and its safety. The key generation should be undertaken entirely under the control of the individual concerned. The fact that the government lay down the security procedure is itself a bone of contention for it is believed that the government would have a vested interest that a private key be not too secure.28 Even if one were to agree that a basic standard has to be set for otherwise the key pair might not be secure, the requirement of rule 3 (1) (b) that the procedure for generation of the public and private key be specified in the application for the grant of licence and rule 19 (vi ) that the encryption technique has to be approved by the controller have no justification.29 It is argued that "this will defeat the very purpose of having a secure encryption technique or else any one can break into the public key or private key using the technique set out for encryption".

The private key is usually a large number quite impossible to memorise. Storing it in the hard disk of a computer leaves it wide open to theft by a number of methods, each of which is quite undetectable. Storing in a floppy or CD in such a way that it does not enter into the memory of the computer increases its chances of being lost and falling into the wrong hands.30 Again there is the issue of back up. "Escrow" is an arrangement whereby something is placed on deposit with a trusted third party. This is a potentially dangerous proposition. An alternative to this can be worked out where the algorithm is broken up into several parts and stored with several organisations/individuals such that it is impossible for them to collude and yet to determine what the private key is with their bit of algorithm.31

While the theory is that when A wants to sign a document she performs a mathematical calculation using the document and a private key; then she appends the result of that calculation which is a signature to the document and sends it off. The truth is that more often that not, her computer does it for her for which reason, she stores the private key on her hard disk.32 Now there are three well known ways in which a system can be penetrated:

Monitoring of electronic emissions33: Most electronic communication devices emit electro magnetic radiation that is highly correlated with the information carried or displayed on them and can be read off the terminal in principle from a distance by equipment specially designed to do so.

Device penetration34: A software controlled device can be penetrated in a number of ways. For example, a virus may infect it, making a clandestine change. A message or a file can be sent to an unwary recipient who activates a hidden programme when the message is read or the file is opened; such a programme, once active, can record the keystrokes of the person at the keyboard, scan the mass storage media for sensitive data and transmit it, or make clandestine alterations to stored data. The virus could display one message on the screen and sign another by penetrating the signing software. Infrastructure penetration35: The infrastructure used to carry communication is based on software controlled devices called routers through which information travels in data packets. Router software can be modified to copy and forward all or selected traffic to an unauthorised computer. There are myriad ways in which data can be lifted off a person's computer. A digital signature authenticates the document up to the point of the signing computer but does not authenticate the link between that computer and the signatory.36 Even where the private key is not stolen, an honest mistake can result in a costly mistake. As Jessi Berst said, "there will be some volatile disasters in the early days when somebody's seven-year old clicks and sells the house or buys a car. When that happens, a pen and paper will seem like pretty nifty technology".37

It is in this context where it is not easy to detect that the private key has been compromised that the explanation to section 42 creates an unbreakable onus on the subscriber. In an attempt to cap the liability on the CA and the addressee, the explanation declares that the subscriber shall be liable till he has informed the certifying authority that the private key has been compromised.

V

Administrative Control

In an attempt to counteract the known dangers to digital signatures and transactions on the net, the ITA has set up a regulatory mechanism in such a way that it almost defeats the dual purpose of facilitating e-transactions and securing them.

Strangulating Administrative Control

Section 17: Appointment of Controller and Other Officers

(1) The central government may by notification in the official Gazette, appoint a controller of certifying authorities for the purposes of this Act and may also by the same or subsequent notification, appoint such numbers of deputy controllers and assistant controllers as it deems fit.

(2) The Controller shall discharge his functions under this Act subject to the general control and directions of the central government

This section has thus made it clear that the Controller will be an officer of the central government and thus a part of the executive arm of the state.

Section 18 lays down the functions of which the Controller may perform all or some thereby granting the Controller excessive control over the certifying authorities. Just to mention too: clause (a) in exercising supervision over the activities of certifying authorities (there is nothing per se wrong with the supervision except that a perusal of the act and guidelines leads one to understand that such supervision can be terribly intrusive) specifying the contents of different printed or visual materials and advertisements that may be distributed or used in respect of a digital signature, certificate and the public key. The act puts in place a complex system of licensing certifying authorities giving the Controller and therefore the government in demanding absolutely any kind of information before an application can be granted. Too short a period has been granted between the grant of a licence and the requirement for setting up a shop. Section 19 allows for the recognition of foreign certifying authorities by the Controller if he chooses with the approval of the central government.38 But section 32 requires the foreign authority to have a place of business in India which can prove to be a sure dissuasive factor to foreign authorities. Many Indians have obtained digital signature certificates from the international (non-Indian) certifying authorities like Verisign and Globalsign.39 The rules do not provide for the verification of these signature certificates and therefore invalidate almost all of them. And yet to date, no CA has become fully functional under the act.

Penalties and Offences

Section 42: Penalty for damage to computer, computer system, etc.

If any person without permission of the owner or any other person who is in charge of a computer system or computer network -

(a) accesses or secures access to it

(b) downloads, copies or extracts any data, computer data base or information from it

(c) introduces or causes to be introduced any computer containment or computer virus into it

(d) damages or causes to damaged any computer, computer system or computer network, data, computer database or any other programmes residing in it

(e) disputes or causes disruption of any computer, computer system or computer network

(f) denies or causes by denial of access to any person authorised to access it

(g) provides any assistance to any person to facilitate access in contravention of provisions of this act

(h) changes the services availed of by a person to the account of another person by tampering or manipulation he shall be liable to pay damages by way of compensation not exceeding one crore rupees to the person so affected.

Section 65: Tampering With Computer Source Documents

Whoever knowingly or intentionally conceals, destroys or alters, or intentionally or knowingly causes another to conceal destroy or alter any computer source code used for a computer, computer programme, computer system or computer network where the computer source is required to be kept or maintained by law for the time being in force, shall be punishable with imprisonment up to three years or with a fine which may extend up to 2 lakh rupees, or both.

Section 66: Hacking With Computer System

(1) Whoever with intent to cause or knowingly that he is likely to cause wrongful loss or damage to the public or any person destroys or deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means commits hacking.

(2) Whoever commits hacking shall be punished with imprisonment up to three years or with fine which may extend up to 2 lakh rupees or both.

As is fairly obvious, the penalties that have been imposed are monstrously large. These sections are much needed in view of the absolute insecurity of the Net and the argument is that such heavy penalties will have a deterrent effect. While that point is debatable, there are a few basic flaws in the drafting of these sections. Section 66 in the first instance is redundant thanks to section 43. But most importantly, the definition of hacking itself is per se wrong. It is not necessary that a hacker will destroy/delete/alter data. He may just enter, read the private key and leave the system again without having touched anything inside.

Section 44: Penalty for Failure to Furnish Information, Return, etc.

If any person was required under this act or any rules or regulations made thereunder to -

(a) furnish any document, return or report to the Controller or the certifying authority fails to furnish the same, he shall be liable to a penalty not exceeding one lakh and fifty thousand rupees for each such failure.

(b) file any return or furnish such information, books or other documents written in the time specified therefore in the regulations fails to file return or furnish the same within the time specified therefore in the regulations, he shall be liable to a penalty not exceeding 5,000 rupees for every day during which such failure continues.

(c) Maintain books of account or record fails to maintain the same, he shall be liable to pay a penalty not exceeding 10,000 rupees for every day during when such failure continues.

Section 45 puts in place residuary penalty - there is no express penalty provision, compensation amount of Rs 2,000 shall be paid.

These sections go a little overboard in the imposition of penalties. Notwithstanding the all intrusive control, the CAs are extensively liable in the above mentioned ways. There is no exception for the bona fide mistakes. The certification authorities are obligated to disclose anything which materially and adversely effect either the reliability of a certificate or the authority's ability to perform its services. If a contravention under this act for reasons outside the control of the CA occurs, does it mean that the CA stands to lose its credibility?

Governmental Access

It is this part of the act that creates the most problems and results in creating a system of regulation that leaves far too much discretion and power in the hands of the government.

Section 29: Access to Computer and Data

(1) Without prejudice to the provisions of section 68, the Controller or any person authorised by him shall, if he has reasonable cause to suspect that any contravention of the provisions of this Act, rules or regulations made thereunder has been committed, have access to any computer system, any apparatus, data, or any other material connected with such system, for the purpose of searching or causing a search to be made for obtaining any information or data contained in are available to such computer system.

(2) For the purpose of sub-section (1) the Controller or any person authorised who may by order direct any person in charge of or otherwise concerned with the operation of the computer system, data apparatus or material, to provide him with such reasonable technical or other assistant... as he may consider necessary.

The section empowers the controller to access any information or data from any computer system if he has a reasonable cause to suspect that any contravention of the provisions of this act has occurred. The controller is an aim of the executive branch of the state and is under the absolute control of the central government and there is absolutely no reason why the controller will not oblige executive whims. Neither the section nor the general context of the act imposes any kind of accountability on the controller - if anything is a subtle (?) attempt at excluding judicial review of actions on the ground that the controller had reasonable cause to suspect a contravention.

Section 28 (1) empowers the controller or any officer authorised by him to investigate any contravention of the provisions of this act. In doing so sub-section (2) has granted him the powers conferred on Income Tax authorities under chapter XIII of the Income Tax Act 1961. It is argued with some fervour that it shows poor appreciation of the nature of the internet- cyber space. The provisions of the Income Tax Act have been expressly designed with the view to curtail financial irregularities. Even if section 29 had been tempared with judicial authority, the effect would not have been so bad. But the section as it stands in conjunction with grant of powers under the Income Tax Act indicate a definite favour to the state of arbitrariness.

Section 80 gives any police officer not below the rank of DSP or any other officer of central/state government authorised by central government to enter any place and search and arrest without a warrant. And notwithstanding the provisions of the CrPC, any person who is suspected of having committed or committing any offence under the act. Though the provisions of CrPC come into play once the arrest is made, the conferral of powers under this section may lead to very real misuse.

Section 69: Directions of Controller to a Subscriber to Extend Facilities to Decrypt Information

(1) If the Controller is satisfied that it is necessary or expedient so as to do in the interest of the sovereignty or integrity of India, the security of the State, friendly relations with foreign states or public order or for preventing incitement to the Commissioner of any cognisable offence, for reasons to be recorded in writing by order, direct any agency of the Government to intercept any information transmitted through any computer source.

(2) The subscriber or any person in charge of the computer resource shall when called upon by any computer agency which has been directed by sub-section (1) extend all facilities and technical assistance to decrypt the information

(3) The subscriber or any person who fails assists the agency referred to in sub-section (2) shall be punished with an imprisonment for a term which may extend to 7 years.

In a few words, the controller has been empowered to 'intercept' any communication on the net. The Oxford Advanced Learners Dictionary of Current English defines the word intercept as 'stop or catch (somebody travelling or something in motion) before he or it can reach a destination.'40 This section therefore could be facilitating surveillance over a period of time without the knowledge of the person concerned. This is a grave infringement of the civil rights of citizens, particularly where the subjective satisfaction of the controller that such surveillance is required is all that it takes.

The controller has been granted very wide discretionary powers and absolutely no guidelines, checks or balances have been provided to determine the 'satisfaction' of the Controller.

A paltry attempt has been made in section 72 to bring some responsibility into the system. The section deals

save as otherwise provided in this Act or any other law for the time being in force, if any person who in pursuance of any of the powers conferred under this Act, rules or regulations made thereunder, has secured access to any electronic record, book, registers correspondence, information, document or other material without the consent of the person concerned discloses such electronic record, book, register, correspondence, information, document or other material to any other person shall be punished with imprisonment for a term which may extend to 2 years or with fine which may extend to 1 lakh rupees or with both.

This measure has been dismissed as paltry because under this section, misconduct has to be proved whereas suspicion is enough for sub-sections (2) and (3) of section 69 to apply. Further while sub-section (3) of section 69 punishes a subscriber with seven years imprisonment, this section imposes a mere two-year imprisonment on an official of the state who owes a greater responsibility to both the state and the people.

Further, various provisions in the act will make it next to impossible to prove anything under this section and they are dealt with as under.

Immunity to Officials Under this Act

Section 82: Controller, Deputy Controller and Assistant Controllers to be public servants.

The presiding officer and other officers and employees of a cyber appellate tribunal, the Controller, The Deputy Controller and the Assistant Controllers shall be deemed to be public servants within the meaning of section 21 of the IPC.

It has been argued that it is not clear whether this is sufficient to bring it within the ambit of The Prevention of Corruption Act.

What is far more worrying is section 84 which reads thus:

No suit, prosecution or other legal proceedings shall be against the central government, the state government, the controller or any person acting on behalf of him, the presiding officer, adjudicating officers and the staff of the cyber-appellate tribunal for anything which is in good faith done or intended to be done in pursuance of this Act or any rule, regulation made thereunder.

This blanket exemption successfully thwarts any attempt at making these officials accountable. Absolutely anything done can be passed off under the 'good faith' clause.

A meagre effort is made by requiring reasons to be recorded for most actions to be taken under this act. But apart from the fact that the courts are going to be flooded with cases requiring that actions of controllers be struck down.

Adjudication

Section 46 provides for an adjudicating officer to be appointed by the central government from the executive for "holding an inquiry in the manner prescribed by the central government". The adjudicative mechanism envisaged has two major problems. One it is an extension of the executive and two there is nothing to suggest that any ordinary citizen can invoke it.

Section 48 provides for the establishment of a cyber-appellate tribunal by the central government and Section 49 makes it clear that such tribunals shall consist of one member only. A member from the Indian Legal Service, a sitting or retired high court judge or any member qualified to be a judge of the high court will be named presiding officer. This can create severe problems as the member may not be a technical man. Matters under this act are essentially technical and such expertise needs to be represented on the tribunal. Section 62 provides for appeal from the CRAT to the high court. Litigation explosion is going to be a definite feature under the provisions of the Act when more and more people who feel they have been wronged by the arbitrary use of the executive's powers throng the corridors of the court for redressal of their grievances. The fact that the ordinary courts are absolutely not equipped to deal with technical issues is only going to complicate matters.

VI

Conclusion

The Information Technology Act raises very real concerns. It demonstrates a legislature deeply sceptical of the internet, rooted in the conventions of the past, yet battling with the need for an information technology law in the present-day circumstances. This straddling of the known and the unknown has strange results. In its desperate need to bring in some security for activity on the net, it relies heavily on the executive, little realising that it can result in violation of civil rights particularly in light of India's infamous emergency. The absolute control it attempts to achieve over certifying authorities is worrying for the same reason. The act lacks balance.

While it is stated in the preamble that the act has been passed "to facilitate electronic filing of documents with government agencies", reading the act makes one question whether the government has thought through on what it attempts to do with the act. The World Bank and UNCITRAL are pushing through e-governance and e-commerce laws with great enthusiasm and India has with equal alacrity jumped onto the bandwagon. But the fact remains that though Indians are spearheading the IT revolution around the world, the internet in India is in its nascent stage. If India is attempting to put in a regulatory framework while going online, it is a commendable move, only the execution has worked out all wrong. Section 5 recognises digital signatures and Section 6 allows digitally signed dealings with the government. But for the ordinary middle class taxpayers, getting a digital signature under the act involves far too much hassle, too little security and the threat that they could be under government surveillance without their knowledge.

The line between the real world and the mechanical world is becoming more and more blurred every day. But it is not that humans are turning into automatons or becoming slaves to machines. No, we are simply growing towards each other. In the Blue Nowhere machines are taking our personalities and culture - our language, myths, metaphors, philosophy and spirit.41

It becomes important, in this context, for any law-making body to think through on what the consequences of its actions will be. The issue of privacy is a serious one which the Act impacts on very unfavourably as the appendix reveals.

The Information Technology Act 2000 needs some serious reworking. The government needs to ask itself whether the answer to the insecurity to the net lies in the brute force of the executive. If e-governance is about facilitation, the ITA seems to be about complication.

Notes

1 Deaver, Jeffrey; The Blue Nowhere; Pocket Star Books

2 "Digital and Electronic Signatures" http://members.aol.com/Winchel3/Links/Legal/Signatures/SignaturesLegalLinks.htm

3 Prannoy Roy hosted a talk show on BBC about the Y2K issue in which Sabeer Bhatia participated. Sabeer Bhatia is CEO Arzoo.com.

4 Dhar, Ravi Kumar "State Surveillance, Citizens' Civil Rights and Cyber Crime: Indian Information Technology Act-2000 in Retrospect"; http:/jcmc.huji.ac.il/vol2/Issue1/intro.html

5 A/RES/51/162 dt 30th January 1997.

6 Article 5: Legal Recognition of Data Messages

Information shall not be denied legal effect, validity or enforceability solely on the grounds that it is a data message.

This principle is intended to be of general application and therefore does not establish the effectiveness, validity or enforceability of a data message. It embodies the doctrine of 'functional equivalence - that there should be no disparity of treatment between data messages and paper documents. "The form in which certain information is presented or retained cannot be used as the only reason for which that information is denied legal effectiveness validity or enforceability."

Article 6: Writing

(1) Where the law requires information to be in writing, that requirement is met by a data message if the information contained therein is accessible so as to be usable for subsequent reference. (2) Paragraph 1 applies whether the requirement therein is in the form of an obligation or whether the law simply provides consequences for the information not being in writing.

(3) The provisions of this article do not apply to the following [...]

Article 6 concentrates upon the notion of information being reproduced and read. The advantages stated in favour of written documents are that they can be accessed in the original at any time for subsequent reference. The use of the word 'accessible' in Article 6 is intended to mean that information in the form of computer data should be readable and able to be interpreted, and that the software that might be necessary in order to satisfy those requirements may need to be retained. The word 'usable' is intended to cover not only human use but also computer processing. The requirement of 'subsequent reference' was preferred to 'durability' or 'non-alterability' both of which were understood to have limited application with regard to paper, and 'readability' and 'intelligibility' which were passed over as too subjective as standards.

7 Ryder, Rodney D.; Guide To Cyber Laws (Information Technology Act, 2000, E-Commerce, Data protection and the Internet); Wadhwa; p 364.

8 This section corresponds to Article 7 of the UNCITRAL Model Law: Signature

(1) Where the law requires the signature of a person, that requirement is met in relation to a data message if

a) A method is used to identify that person and to indicate that a person's approval of the information contained in the data message; and

(b) that method is as reliable as was appropriate for which the data message was generated or communicated, in light of all the circumstances, including any relevant agreement.

(2) Paragraph 1 applies whether the requirement therein is in the form of an obligation or whether the law simply provides consequences in the absence of a signature.

(3) The provisions in this article do not apply to the following [...] Paragraph 1(a) establishes the principle, that in an el

ectronic environment, the basic legal functions of a signature are performed by way of a method that identifies the originator of a data message and confirms that the originator approved the content of that message. Paragraph 1(b) establishes a flexible approach to the level of security to be achieved by the method of identification used under Paragraph 1(a). In determining whether the method used under paragraph 1 is appropriate legal, technical and commercial factors should be taken into account. The examples listed are:

(I) The sophistication of the equipment used by each of the parties

(II) The nature of their trading activity

(III) The frequency at which the commercial transactions take place between the parties

(IV) The kind and size of the transaction

(V) The function of signature requirements in a given statutory and regulatory environment

(VI) The capability of communication systems

(VII) Compliance with authentication procedures set forth by intermediaries

VIII) The range of authentication made available by the intermediary

(IX) Compliance with trade customs and practices

(X) Existence of insurance coverage mechanisms against unauthorised messages

(XI) The importance and value of the information contained in the data message

(XII) The availability of alternative methods of authentication and the cost of implementation

(XIII) The degree of acceptance or non-acceptance of the method of identification in the relevant industry or field both at the time the method was agreed upon and the time that the data message was communicated; and

(XIV) Any other relevant factor

This article establishes a basic standard of authentication both in circumstances where national laws leave issues of authentication entirely up to contracting parties to decide and where requirements for signature are set by mandatory provisions of national law which are not subject to alteration by agreement of the parties.

Article 7(3) is similar to article 6(3) in that it allows national legislatures to exempt specific instances from the operation of these provisions for the model law recognises that there may be good reasons for specifying instances where it is not appropriate for an electronically signed document to have the same effect as one with a hand written signature as in the case of wills and negotiable instruments.

9 This section corresponds with Article 10 of the UNCITRAL model law titled 'Retention of Data Messages:

(1) Where the law requires certain documents, records or information be retained, that requirement is met by retaining data messages, providing certain conditions are satisfied:

(a) the information contained therein is accessible so as to be usable for subsequent reference

(b) the data message is retained in the format in which it was generated sent or received, in a format which can be demonstrated to represent accurately the information generated, sent or received; and

(c) such information, if any, is retained as enables the identification of the original and destination of data message and the date and time when it was sent or received.

(2) An obligation to retain documents, records or information in accordance with Paragraph (1) does not extend to any information the sole purpose of which is to enable the message to be sent or received.

(3) A person may satisfy the requirements referred to in Paragraph (1) by using the services of any other person, provided that the conditions set forth in sub-paragraphs (a) (b) (c) of Paragraph (1) are met.

This Article establishes a set of alternative rules for existing requirements regarding the storage of information. Paragraph (1) sets out conditions under which data messages can be stored. Sub-paragraph (a) reproduces conditions established under article 6 for a data message to satisfy the requirement of 'writing'. Sub-paragraph (b) emphasises that the message need not be retained unaltered as long as the information stored accurately reflects the data message as it was sent thus recognising that messages may have to be decoded or compressed or converted in order to be stored. Sub-paragraph (c) insists that transmittal information which may be necessary for the identification of the message be stored.

Sub-paragraph (c) establishes a distinction between those elements of transmittal information that are important for the identification of the message and those covered by paragraph (2) which are of no value with regard to the data message and which will automatically be stripped out of an incoming data message by the receiving computer before it actually enters the information system of the addressee.

10 Kamath, Nandan; Law Relating to Computers, Internet and E-Commerce- A Guide to Cyberlaws; Universal Law Publishers; p 109.

11 Ibid; p 109.

12 Basu, Subhajit and Jones, Richard "Legal Issues Affecting E-Commerce: A Review of the Indian Information Technology Act, 2000"; http://www.bileta.ac.uk/02papers/basu.html

13 supra n 10, p 118.

14 Therefore the key has to be securely transmitted to the addressee in order to enable him to be able to read the message. Here lies the primary disadvantage of the system - if the key can be securely transmitted, so can the message! Further, there has to be some method of ensuring that encrypted messages can be recovered if the private key is lost - retaining the technology to do so makes it easy for hackers. Further where there are a large number of users who will have to access the system, secret key cryptography is potentially unsafe because the risk of the key falling into the wrong hands is greater; ibid, pp. 118-119

15 Sood, Vivek; Cyber law Simplified; Tata McGraw Hill Publishing Co, p 443.

16 supra n 12.

17 Vishwanathan, Suresh T; The Indian Cyber law; 2nd Edition; Bharat Publishing House, New Delhi, 2001; p 42.

18 Mittal, D P; Law of Information Technology (Cyber law), Taxmann, p 52.

19 supra n 12.

20 Greenleaf, Graham "Privacy Implications of Digital Signatures"; http://www.anu.edu.au/people/Roger.Clarke/DV/DigSig.html

21 Lemos, Robert "Digital signatures a threat to privacy?"; http://zdnet.com.com/2100-11-519795.html?legacy=zdnn

22 supra n 4.

23 supra n 21.

24 Ibid.

25 supra n 22.

26 Ibid.

27 Ibid.

28 supra n 21.

29 supra n 4.

30 Kaner, Cem "The Insecurity of the Digital Signature"; http://www.badsoftware.com/digsig.htm

31 supra n 21.

32 schneier, Bruce "Why Digital Signatures Are Not Signatures"; http://www.counterpane.com/crypto-gram-0011.html

33 supra n 10, p 119.

34 Ibid, p 119.

35 Ibid, p 120.

36 supra n 33.

37 Berst, Jesse "Sign of Trouble: The Problem With E-Signatures"; http://www.zdnet.com/anchordesk/stories/story/0,10738,2604099,00.html

38 supra n 4.

39 supra n 12.

40 supra n 12.

41 supra n 1, p 75.
Return to Home Page of the South Asia citizens web