[Reader-list] India: Information Technology Act: Danger of Violation of Civil Rights

Harsh Kapoor aiindex at mnet.fr
Sat Aug 30 23:57:26 IST 2003 

The Economic and Political Weekly [Bombay, India]
August 23, 2003
Special Article


Information Technology Act: Danger of Violation of Civil Rights

The Information Technology Act raises very real concerns. It
demonstrates a legislature deeply sceptical of the internet, rooted
in the conventions of the past, yet battling with the need for an
information technology law in the present-day circumstances. This
straddling of the known and the unknown has strange results. In its
desperate need to bring in some security for activity on the net, it
relies heavily on the executive, little realising that it can result
in violation of civil rights particularly, in the light of India's
infamous emergency. The absolute control it attempts to achieve over
certifying authorities is worrying for the same reason. The act lacks
balance.

Sruti Chaganti

I
Introduction

When I say the brain is a machine, it is meant not as an insult to
the mind but as an acknowledgment of the potential of a machine. I do
not believe that a human mind is less than what we imagine it to be,
but rather that a machine can be much, much more.1

- W Daniel Hillis
The Pattern on the Stone

>From Charles Babbage's first computer far back in the 1800s to the
military network of 40 computers in the US connected by links and
lines in 1969 called the Advanced Research Projects Agency Network
(ARPANET) to the internet as we know it today, a world wide web that
links the globe through 50 million nodes, a network of 233.3 million
computers and a user group of 163 million individuals/entities,2
technology and therefore life has progressed into a world which seeks
to obliterate barriers of economy, polity, society and administration.

When Prannoy Roy gaped at Sabeer Bhatia's description of his life on
the net3 from business through entertainment to shopping for fresh
vegetables, I agreed with Roy. But today the net has indeed overtaken
conventional living. Business on the net is easy and with the variety
of services offered it is of little wonder that people are
increasingly turning to the net for everyday living. The future lies
there - in a network of computers spanning the globe.

It becomes imperative then that government services are also
delivered online. This could prove to be a blessing for the net
entails transparency and accessibility of information: the lifeblood
of any democracy. Corruption and red tapism, the greatest evils of
modern governments can be thwarted fairly successfully. And for
ordinary users - if they can buy vegetables and pay their bank dues
on the net shouldn't they also be able to pay their electricity bills
and apply for is licences online?

If e-governance and e-commerce are to be viable options, electronic
records and digital signatures must gain legal validity. If the
courts of law refuse to enforce a contract or validate a licence,
entered into or obtained on the net, the growth potential of the
internet will be severely retarded.

And yet the internet is not all goodness and opportunity. The World
Wide Web is the playground of a new sort of criminal - one who revels
in the anonymity offered by a network of millions of computers and
whose apprehension legal systems across the world are battling with
rather unsuccessfully. The internet challenges every single
convention and belief that traditional legal systems are based upon.
Benjamin Wittes is said to have remarked:


Suppose you wanted to witness the birth and development of a legal
system. You would need a large complex system that lies outside of
all other legal authorities. Moreover, you would need that system
somehow to accelerate the seemingly millennial progress of legal
development, so you would witness more than a moment of progress. The
hypothetical system might seem like a social scientist's fantasy, but
it actually exists. It's called the Internet.4


It is to enable online governance and to grant legal recognition to
electronic records and digital signatures that the Information
Technology Act was passed. The act attempts to regulate life on the
net and counteract known dangers to security and privacy of
information. In doing so, it has set up a regulatory mechanism that
is distinguished by the stranglehold the central government has been
granted on all matters pertaining. The act has been the subject of
severe criticism for the extent of executive discretion, immunity for
executive actions, disproportionate penalties and the introduction of
a system so tedious and complex that it is bound to hamper the
progress of life on the net for Indians. Worse still is the extensive
power granted to the state to impinge on the privacy of netizens.

This paper examines the feasibility of e-governance in light of the
provisions of the act and the very real dangers in following through
with it. An analysis is made in light of the UNCITRAL model
provisions, the insecurity of the net and the existing legal system.
The emphasis is on administrative functioning or malfunctioning and
its impact on the fulfilment of the intentions of the act.

II
E-Governance

The Preamble of the Information Technology Act, in one of its clauses, reads:


and WHEREAS it is considered necessary to give effect to the said
resolution and to promote efficient delivery of governance services
by means of reliable electronic records; be it enacted by the
Parliament in the fifty-first year of the Republic of India as
follows...


The United Nations Commission on International Trade Law adopted the
model law on electronic commerce which was then adopted by the
General Assembly in a resolution5  that requires the states to give
favourable consideration to the model law when enacting or revising
their laws of similar import. India accordingly enacted the ITA 2000
keeping in view the provisions of the UNCITRAL model law.

Section 4 of the Information Technology Act titled 'Legal Recognition
of Electronic Records' lays down that where any law requires that any
information/matter shall be in writing/ type-written/printed form,
then notwithstanding anything contained in such law, such requirement
shall be deemed to have been satisfied if such information or matter
is (a) Rendered or made available in electronic form; and (b)
Accessible so as to be usable for subsequent reference.

The one section combines the import of both articles 5 and 6 of the
UNCITRAL Model Law.6 There is no provision in the ITA however which
corresponds to paragraph 3 of article 6 of the said Model which
allows an enacting state to exclude certain specified situations from
the application of the functional equivalence doctrine where an
enacting state does not wish to establish such a complete equivalence
as in the case of cheques, wills, negotiable instruments, etc.7
However if such a provision might have been redundant in the light of
section 9 which lays down that nothing contained in sections 6,7 and
8 confer any right upon any person to insist that any ministry or
department of the central government or state government or any other
authority/body established by/under law or controlled/funded by the
central/state government should accept/issue/create/retain/preserve
any document in the form of electronic records or effect any monetary
transaction in the electronic form.

Section 5:8'Legal Recognition of Digital Signatures' lays down that
where any law requires that information/other matter should be
authenticated by signature, then notwithstanding anything contained
in such law, the requirement will be deemed to have been fulfilled if
authenticated by means of a digital signature affixed in the manner
prescribed by the central government.

Section 16 lays down that the central government prescribed the
security procedure having regard to commercial circumstances
prevailing at the time when the procedure was used including: (a) the
nature of the transaction; (b) the level of sophistication of the
parties with reference to their technological capacity; (c) the
volume of similar transactions engaged in by other parties; (d) the
availability of alternatives offered to but rejected by any other
party; (e) the cost of alternative procedures; and (f) the procedures
in general used for similar types of transactions or communications.

However section 15 lays down that if by application of a security
procedure agreed to by the parties concerned it can be verified that
a digital signature, at the time it was affixed, was: (a) unique to
the subscriber affixing it; (b) capable of identifying such
subscriber; and (c) created in a manner or using a means under the
exclusive control of the subscribed and is linked to the electronic
record to which it relates in such a manner that if the electronic
record was altered, the digital signature would be invalidated, then
such signature shall be deemed to be a secure digital signature.

While the tenor of section 16 is that the security requirements of a
signature will be determined by central government rules, the
inference of section 15 is that private parties also can work out
their own security procedures. Yet the tone and tenor of the entire
act and the rules does not bear out the latter inference. Is this a
contradiction in terms? Or, is there a plausible interpretation?

Section 6 of the ITA lays down the foundation of electronic
governance. By sub-section (1) it allows for the filing of any form,
application or other documents, creation, retention or preservation
of records issue a grant of any licence or permit or receipt or
payment in government offices and its agencies may be done through
the means of electronic form.

Sub-section (2) provides for the making of rules by the appropriate
government to prescribe: (a) the manner and format in which such
electronic records shall be filed, created or issued; (b) the manner
or method payment of any fee or charges for filing, creation or issue
any electronic record under clause (a). This legislation is
particularly useful because it allows for such online filing without
piecemeal amendments having to be made to different acts. Section 9,
which has already been discussed, allows for this to happen on an
"opt-in" basis so that those agencies which are not yet ready to go
"paperless" are not compelled to do so. But whether such a blanket
exemption should have been granted instead of an adequate timeframe
is debatable.

Section 79  deals with the 'Retention of Electronic Records'.
Sub-section (1) lays down that where the law requires certain
documents, records or information be retained, that requirement is
met by retaining data messages, providing certain conditions are
satisfied: (a) the information contained therein is accessible so as
to be usable for subsequent reference; (b) the data message is
retained in the format in which it was generated sent or received, in
a format which can be demonstrated to represent accurately the
information generated, sent or received; and (c) such information, if
any, is retained as enables the identification of the original and
destination of data message and the date and time when it was sent or
received.

The proviso to the sub-section reads: An obligation to retain
documents, records or information in accordance with sub-section (1)
does not extend to any information the sole purpose of which is to
enable the message to be sent or received. Sub-section (2) lays down
that nothing in the section shall apply to any law that expressly
provides for the retention of documents, records or information in
the form of electronic records.

Section 8 of the ITA provides for the publication of an Electronic
Gazette with a proviso which states that where any
rule/regulation/order/by-law/notification/any other matter is
published in the official Gazette or in the Electronic Gazette, the
date of publication shall be deemed to be the date of that official
Gazette which was first published in any form.

Section 10 gives the central government the power to make rules so as
to prescribe (a) the type of digital signature; (b) the manner and
format in which the digital signature shall be affixed; (c) the
manner or procedure which facilitates identification of the person
affixing the digital signature; (d) control processes and procedures
to ensure adequate integrity, security and confidentiality of
electronic records or payments, and (e) any other matter which is
necessary to give legal effect to digital signatures.

While the ITA 2000 has gone along with the UNCITRAL model provisions
a good distance, it has made subtle but significant changes which
leads one to question whether the act succeeds in what it sets out to
do. Section 9 is a major drawback as it leaves a large amount of
discretion in the hands of the government as to whether or not to go
online. While it is a fact that the government needs time to break
conventions over a hundred years old and to train employees to catch
up with modern technology, the absence of any kind of time frame can
seriously hamper e-governance becoming a feasible option in the near
future.

III
Electronic Records and Digital Signatures

Section 3(18) of the General Clauses Act, 1879 defines document as
"any matter written, expressed or described upon any substance by
means of letter, figure or marks, or by more than one of these means
which is intended to be used, or which may be used for the purpose of
recording that matter".10

Information on the computer is stored as bits and bytes, the
electronic equivalent of zeros and ones. It is thus argued that these
zeros and ones are expressions on the computer disc in the form of a
figure or mark thereby classifying electronic records as documents
under Indian law.11

Section 11 of the ITA lays down that an electronic record shall be
attributed to the originator if it was sent (a) by the originator
himself; (b) by a person who had the authority to act on behalf of
the originator in respect of that electronic record; or (c) by an
information system programmed by or on behalf of the originator to
operate automatically.

The General Clauses Act does not define signature anywhere but
explains 'sign' with its grammatical variations and cognate
expressions, with reference to person, to mean affixing of his
handwritten signature or any mark on any document. It is argued that
if a person can introduce such information to any document so as to
authenticate authorship, it will be construed as a signature whether
written or printed and so digital signatures are also covered.12

Section 4 of the ITA provides for a subscriber to authenticate an
electronic record by affixing his digital signature by the use of
"asymmetric crypto system which envelop and transform the initial
electronic record into another electronic record".

While the UNCITRAL model provisions have chosen to be technology
neutral when it comes to methods of digital signatures, the ITA has
made it clear that a digital signature has to be using the asymmetric
crypto system.

'Cryptography' is derived from Greek words that mean "secret writing"
and involves the process of encryption and decryption. Encryption is
the process of transforming plain text into unintelligible form and
decryption is the process of converting the unintelligible data back
into the original plain text.13 Encryption can be used for two
purposes: (1) Maintaining the confidentiality of the message; and (2)
Affixing a digital signature.

In the former case the text itself is converted using an algorithm
into cipher text so as to ensure that those who are not intended to
read the message do not read it. The process used is called symmetric
cryptography, or secret key cryptography. In this process the same
key or algorithm that is used to encrypt also has to be used to
decrypt.

Owing to the disadvantages of symmetric cryptography,14 the
asymmetric crypto system came into place. The system envisages the
use of two keys - a public key and a private key. The explanation to
sub-section (2) to section 3 reads "For the purpose of this
sub-section, 'hash function' means an algorithm mapping or
translation of one sequence of bit into another, generally smaller
set known as 'hash result' such that an electronic record yields the
same hash result every time the algorithm is executed with the same
electronic record as its input making it computationally infeasible
(a) to derive or reconstitute the original record from the hash
result produced by the algorithm; (b) that two electronic records can
produce the same result using the algorithm."15

Thus to create a digital signature, the following would be involved:

(1) Section 2 (1) (zc) of the ITA defines a 'private key' as the key
pair used to create a digital signature.
(2) Section 2(1) (zd) of the ITA defines a 'public key' as the key of
a key pair used to verify a digital signature and which is listed in
the digital signature.
(3) The information that has to be signed is delimited and is
popularly known as the 'message'.
(4) On this message the hash function is applied which compresses the
information in a digital form known as the 'hash result' or the
'message digest'. The hash function computes a result of standard
length which is unique to the electronic record and in such a way
that it is impossible to reconstruct the original data from the hash
results and for two electronic records to produce the same result
using the same function.
(5) The signatory uses his private key to encrypt the data and this
is his digital signature.
(6) He appends the original message to the digital signature and
sends it electronically to the addressee.
(7) The addressee decrypts the signature using his public key and
recovers the message digest.
(8) He then applies the hash function on the plain text message
attached and derives its hash result.
(9) He ompares the two message digests to ensure that there has been
no tampering.
The public key and private key are large numbers of a string of data
produced by using a series of formulae and are mathematically related
to each other.16 The security and confidentiality of the private key
are imperative for the system to be successful. Its major advantage
lies in the fact that the public key can be made freely available by
publication in a directory, online repository and even visiting cards
without compromising the security of the private key provided the
system is designed well enough to prevent hacking. Yet critics of
this system find its security a severely debatable point.

IV
Insecurity of the Net

The UNCITRAL model law concentrates upon two basic functions of a
signature to identify the author of a document and to confirm that
the author approved the content of the document.

An electronic signature means any letters, characters, numbers or
other symbols in digital form or attached to or logically associated
with an electronic record, and executed or adopted with the intention
of authenticating or approving the electronic record and is
fundamentally different from a digital signature. A digital signature
is an "electronic identifier that utilises an information security
measure, most commonly cryptography, to ensure the integrity,
authenticity and non-repudiation of the information to which it
corresponds". 17 The information security measure mandated by the act
is the asymmetric crypto system and hash function. Thus a digital
signature serves three essential functions:

Data Integrity - indicates whether a file or message has been
tampered with. Data Authentication - makes it possible to digitally
(mathematically) verify the name of the person who signed the
message. Non-repudiation - makes it impossible for the originator of
the message to deny that it was either not sent or signed by another
person.18

Despite this digital signature have run into problems and have been
the subject of severe criticism by sceptics. Digital signatures have
raised issues on the fronts of security, privacy and authenticity.
Section 3 of the ITA Act is categorical when it comes to ensuring
that only public key cryptography and hash function can be used to
digitally sign documents. It is argued in favour of the provision
that states can develop detailed regulatory schemes which in theory
should provide for certainty and allow for infrastructure
development. The fact that all of known systems, the asymmetric
crypto system is hardest to crack made it the logical choice.

However, the argument against being technology specific is steadily
building up. Limiting transactions to the said system can be harmful
and self-destructive as it is in the process of being replaced by a
more secure system. Further infant technology will either not be
developed or gain a foothold in the market. The more horrifying
possibility is that the legal system will be tied to an insecure
system. The most ignored disadvantage however is that adopting an
exclusive technology opens the door wide to more successful breaches
of that technology.19 Cryptography is based on algorithms which are
complex mathematical puzzles and it can be broken simply by solving
the puzzle. While a simple one takes very little time, a more complex
one just takes longer. The safety of cryptography is based on the
complexity of the mathematical puzzle. When there is only one
technology, efforts to break it can be that much more dedicated and
concentrated. The use of computers makes it easier. The computer is
simply allowed to test each mathematical possibility until the
algorithm or mathematical solution is found. This method is called a
'brute force attack'. The strength of the algorithm, it can be then
said, depends on the time taken to test each mathematical possibility
- greater the number of possibilities, greater the time taken. The
law of averages then dictates that the solution can be found after
only 50 per cent of the possibilities have been tested.20

Thus an argument is mooted in favour of a technology neutral approach
on the grounds that it offers more flexibility and security. Further
considering that legislators are not in a position to predict the
future with cryptographic advancements or legal developments, they
should just keep away from prescribing any one technology. And yet is
this approach without its problems? A critique of the American law
finds exactly this neutrality problematic. "The new law says nothing
about technology. Any number of companies will say their digital
signature technology is the safest and the best. We'll likely
discover who is right through trial and error. In the meantime, the
details of e-signatures and electronic contracts will almost
certainly end up back in court."21

Digital signatures are prone to 'spoofing' where a bogus public key
is created that purports to be that of a particular person when it
really is not. It is to address this risk that certification
authorities are envisaged to certify that the public key is that of a
particular person.

In the creation of these certification authorities, the act has run
the severe risk of compromising the privacy for individuals online.
Alan F Westen defines privacy as: "the desire of people to choose
freely under what circumstances and to what extent they will expose
themselves, their attitude and their behaviour to others".22 The ITA
has made it clear that a digital signature will be valid only if it
is obtained under the provisions of the act. This means that they
will be forced to establish their identities with one or more
certification authorities under the act. This is intrusive because it
requires people to expose data about themselves that they may wish to
keep private particularly when it is not necessary that they reveal
such information. Three pressures have been identified that make the
necessity felt for collecting identification information: (1) the
Technological imperative - "it can be done, so it should be done" (2)
the Marketing imperative - "the more the marketers know about
consumers, the more efficient marketing communications will be, and
the better informed the consumer is"
(3) the Social Control imperative - "the public is not to be trusted,
and data about their behaviour is essential in order to deter
non-compliance and detect and prosecute offenders".23
The approach that establishing standards will counteract the evils of
taking personal information, as in the case of Australia, for
instance,24 does not remove the main issue. Rule 33 of the Certifying
Authorities rules, for instance, states that such information as is
not revealed on the digital signature certificate shall be kept
confidential. But the fact is that the chances of that information
indeed remaining private are slim when one takes into account the
functioning of our bureaucracy.

One might wonder what the hue and cry about privacy is. Just as one
fills in thousands of documents in government offices, this is just
another one of those. Further our constitution does not expressly
grant us the right to privacy - it has been impliedly read in. But
the essential fact is that we are dealing with here is the internet.
The positive resource that one creates for secondary use though such
information being revealed to all and sundry is mind-boggling. The
digital signature certificate is a public document - it would defeat
the purpose otherwise. They can be published in online repositories.
With dotcom sites stealing information and selling it unauthorisedly,
the risks of impersonation become manifold.25 "A digital signature
stands for a human in cyberspace Š yet it can be used by others."26

Section 39 of the ITA makes it mandatory to publish a notice of
suspension or revocation of a certificate in an online repository.
Section 38 allows for the revocation of a certificate on request of
the subscriber or any person authorised by him. This creates its own
set of problems. What if the repository is manipulated by someone?
What if an impersonator makes a request? A digital signature is
likened to a passport.27 If once a person's details appear in the
online repository without any fault of his, his credibility is lost.
And if someone impersonating the subscriber has the certificate
revoked and the new one issued, the consequences are too horrifying
to think of.

Generating a key pair is not inexpensive. How then is the ordinary
user of governmental services supposed to procure one?

Expense apart, for the success of the system of digital signatures it
is essential to maintain confidentiality of the private key and its
safety. The key generation should be undertaken entirely under the
control of the individual concerned. The fact that the government lay
down the security procedure is itself a bone of contention for it is
believed that the government would have a vested interest that a
private key be not too secure.28 Even if one were to agree that a
basic standard has to be set for otherwise the key pair might not be
secure, the requirement of rule 3 (1) (b) that the procedure for
generation of the public and private key be specified in the
application for the grant of licence and rule 19 (vi ) that the
encryption technique has to be approved by the controller have no
justification.29 It is argued that "this will defeat the very purpose
of having a secure encryption technique or else any one can break
into the public key or private key using the technique set out for
encryption".

The private key is usually a large number quite impossible to
memorise. Storing it in the hard disk of a computer leaves it wide
open to theft by a number of methods, each of which is quite
undetectable. Storing in a floppy or CD in such a way that it does
not enter into the memory of the computer increases its chances of
being lost and falling into the wrong hands.30 Again there is the
issue of back up. "Escrow" is an arrangement whereby something is
placed on deposit with a trusted third party. This is a potentially
dangerous proposition. An alternative to this can be worked out where
the algorithm is broken up into several parts and stored with several
organisations/individuals such that it is impossible for them to
collude and yet to determine what the private key is with their bit
of algorithm.31

While the theory is that when A wants to sign a document she performs
a mathematical calculation using the document and a private key; then
she appends the result of that calculation which is a signature to
the document and sends it off. The truth is that more often that not,
her computer does it for her for which reason, she stores the private
key on her hard disk.32 Now there are three well known ways in which
a system can be penetrated:

Monitoring of electronic emissions33: Most electronic communication
devices emit electro magnetic radiation that is highly correlated
with the information carried or displayed on them and can be read off
the terminal in principle from a distance by equipment specially
designed to do so.

Device penetration34: A software controlled device can be penetrated
in a number of ways. For example, a virus may infect it, making a
clandestine change. A message or a file can be sent to an unwary
recipient who activates a hidden programme when the message is read
or the file is opened; such a programme, once active, can record the
keystrokes of the person at the keyboard, scan the mass storage media
for sensitive data and transmit it, or make clandestine alterations
to stored data. The virus could display one message on the screen and
sign another by penetrating the signing software. Infrastructure
penetration35: The infrastructure used to carry communication is
based on software controlled devices called routers through which
information travels in data packets. Router software can be modified
to copy and forward all or selected traffic to an unauthorised
computer. There are myriad ways in which data can be lifted off a
person's computer. A digital signature authenticates the document up
to the point of the signing computer but does not authenticate the
link between that computer and the signatory.36 Even where the
private key is not stolen, an honest mistake can result in a costly
mistake. As Jessi Berst said, "there will be some volatile disasters
in the early days when somebody's seven-year old clicks and sells the
house or buys a car. When that happens, a pen and paper will seem
like pretty nifty technology".37

It is in this context where it is not easy to detect that the
private key has been compromised that the explanation to section 42
creates an unbreakable onus on the subscriber. In an attempt to cap
the liability on the CA and the addressee, the explanation declares
that the subscriber shall be liable till he has informed the
certifying authority that the private key has been compromised.

V
Administrative Control

In an attempt to counteract the known dangers to digital signatures
and transactions on the net, the ITA has set up a regulatory
mechanism in such a way that it almost defeats the dual purpose of
facilitating e-transactions and securing them.

Strangulating Administrative Control


Section 17: Appointment of Controller and Other Officers

(1) The central government may by notification in the official
Gazette, appoint a controller of certifying authorities for the
purposes of this Act and may also by the same or subsequent
notification, appoint such numbers of deputy controllers and
assistant controllers as it deems fit.
(2) The Controller shall discharge his functions under this Act
subject to the general control and directions of the central
government


This section has thus made it clear that the Controller will be an
officer of the central government and thus a part of the executive
arm of the state.

Section 18 lays down the functions of which the Controller may
perform all or some thereby granting the Controller excessive control
over the certifying authorities. Just to mention too: clause (a) in
exercising supervision over the activities of certifying authorities
(there is nothing per se wrong with the supervision except that a
perusal of the act and guidelines leads one to understand that such
supervision can be terribly intrusive) specifying the contents of
different printed or visual materials and advertisements that may be
distributed or used in respect of a digital signature, certificate
and the public key. The act puts in place a complex system of
licensing certifying authorities giving the Controller and therefore
the government in demanding absolutely any kind of information before
an application can be granted. Too short a period has been granted
between the grant of a licence and the requirement for setting up a
shop. Section 19 allows for the recognition of foreign certifying
authorities by the Controller if he chooses with the approval of the
central government.38 But section 32 requires the foreign authority
to have a place of business in India which can prove to be a sure
dissuasive factor to foreign authorities. Many Indians have obtained
digital signature certificates from the international (non-Indian)
certifying authorities like Verisign and Globalsign.39 The rules do
not provide for the verification of these signature certificates and
therefore invalidate almost all of them. And yet to date, no CA has
become fully functional under the act.

Penalties and Offences

Section 42: Penalty for damage to computer, computer system, etc.
If any person without permission of the owner or any other person who
is in charge of a computer system or computer network -
(a) accesses or secures access to it
(b) downloads, copies or extracts any data, computer data base or
information from it
(c) introduces or causes to be introduced any computer containment or
computer virus into it
(d) damages or causes to damaged any computer, computer system or
computer network, data, computer database or any other programmes
residing in it
(e) disputes or causes disruption of any computer, computer system or
computer network
(f) denies or causes by denial of access to any person authorised to access it
(g) provides any assistance to any person to facilitate access in
contravention of provisions of this act
(h) changes the services availed of by a person to the account of
another person by tampering or manipulation he shall be liable to pay
damages by way of compensation not exceeding one crore rupees to the
person so affected.
Section 65: Tampering With Computer Source Documents

Whoever knowingly or intentionally conceals, destroys or alters, or
intentionally or knowingly causes another to conceal destroy or alter
any computer source code used for a computer, computer programme,
computer system or computer network where the computer source is
required to be kept or maintained by law for the time being in force,
shall be punishable with imprisonment up to three years or with a
fine which may extend up to 2 lakh rupees, or both.

Section 66: Hacking With Computer System
(1) Whoever with intent to cause or knowingly that he is likely to
cause wrongful loss or damage to the public or any person destroys or
deletes or alters any information residing in a computer resource or
diminishes its value or utility or affects it injuriously by any
means commits hacking.
(2) Whoever commits hacking shall be punished with imprisonment up to
three years or with fine which may extend up to 2 lakh rupees or both.

As is fairly obvious, the penalties that have been imposed are
monstrously large. These sections are much needed in view of the
absolute insecurity of the Net and the argument is that such heavy
penalties will have a deterrent effect. While that point is
debatable, there are a few basic flaws in the drafting of these
sections. Section 66 in the first instance is redundant thanks to
section 43. But most importantly, the definition of hacking itself is
per se wrong. It is not necessary that a hacker will
destroy/delete/alter data. He may just enter, read the private key
and leave the system again without having touched anything inside.

Section 44: Penalty for Failure to Furnish Information, Return, etc.

If any person was required under this act or any rules or regulations
made thereunder to -

(a) furnish any document, return or report to the Controller or the
certifying authority fails to furnish the same, he shall be liable to
a penalty not exceeding one lakh and fifty thousand rupees for each
such failure.
(b) file any return or furnish such information, books or other
documents written in the time specified therefore in the regulations
fails to file return or furnish the same within the time specified
therefore in the regulations, he shall be liable to a penalty not
exceeding 5,000 rupees for every day during which such failure
continues.
(c) Maintain books of account or record fails to maintain the same,
he shall be liable to pay a penalty not exceeding 10,000 rupees for
every day during when such failure continues.

Section 45 puts in place residuary penalty - there is no express
penalty provision, compensation amount of Rs 2,000 shall be paid.

These sections go a little overboard in the imposition of penalties.
Notwithstanding the all intrusive control, the CAs are extensively
liable in the above mentioned ways. There is no exception for the
bona fide mistakes. The certification authorities are obligated to
disclose anything which materially and adversely effect either the
reliability of a certificate or the authority's ability to perform
its services. If a contravention under this act for reasons outside
the control of the CA occurs, does it mean that the CA stands to lose
its credibility?

Governmental Access

It is this part of the act that creates the most problems and results
in creating a system of regulation that leaves far too much
discretion and power in the hands of the government.

Section 29: Access to Computer and Data


(1) Without prejudice to the provisions of section 68, the Controller
or any person authorised by him shall, if he has reasonable cause to
suspect that any contravention of the provisions of this Act, rules
or regulations made thereunder has been committed, have access to any
computer system, any apparatus, data, or any other material connected
with such system, for the purpose of searching or causing a search to
be made for obtaining any information or data contained in are
available to such computer system.
(2) For the purpose of sub-section (1) the Controller or any person
authorised who may by order direct any person in charge of or
otherwise concerned with the operation of the computer system, data
apparatus or material, to provide him with such reasonable technical
or other assistantŠ as he may consider necessary.


The section empowers the controller to access any information or data
from any computer system if he has a reasonable cause to suspect that
any contravention of the provisions of this act has occurred. The
controller is an aim of the executive branch of the state and is
under the absolute control of the central government and there is
absolutely no reason why the controller will not oblige executive
whims. Neither the section nor the general context of the act imposes
any kind of accountability on the controller - if anything is a
subtle (?) attempt at excluding judicial review of actions on the
ground that the controller had reasonable cause to suspect a
contravention.

Section 28 (1) empowers the controller or any officer authorised by
him to investigate any contravention of the provisions of this act.
In doing so sub-section (2) has granted him the powers conferred on
Income Tax authorities under chapter XIII of the Income Tax Act 1961.
It is argued with some fervour that it shows poor appreciation of the
nature of the internet- cyber space. The provisions of the Income Tax
Act have been expressly designed with the view to curtail financial
irregularities. Even if section 29 had been tempared with judicial
authority, the effect would not have been so bad. But the section as
it stands in conjunction with grant of powers under the Income Tax
Act indicate a definite favour to the state of arbitrariness.

Section 80 gives any police officer not below the rank of DSP or any
other officer of central/state government authorised by central
government to enter any place and search and arrest without a
warrant. And notwithstanding the provisions of the CrPC, any person
who is suspected of having committed or committing any offence under
the act. Though the provisions of CrPC come into play once the arrest
is made, the conferral of powers under this section may lead to very
real misuse.


Section 69: Directions of Controller to a Subscriber to Extend
Facilities to Decrypt Information

(1) If the Controller is satisfied that it is necessary or expedient
so as to do in the interest of the sovereignty or integrity of India,
the security of the State, friendly relations with foreign states or
public order or for preventing incitement to the Commissioner of any
cognisable offence, for reasons to be recorded in writing by order,
direct any agency of the Government to intercept any information
transmitted through any computer source.
(2) The subscriber or any person in charge of the computer resource
shall when called upon by any computer agency which has been directed
by sub-section (1) extend all facilities and technical assistance to
decrypt the information
(3) The subscriber or any person who fails assists the agency
referred to in sub-section (2) shall be punished with an imprisonment
for a term which may extend to 7 years.


In a few words, the controller has been empowered to 'intercept' any
communication on the net. The Oxford Advanced Learners Dictionary of
Current English defines the word intercept as 'stop or catch
(somebody travelling or something in motion) before he or it can
reach a destination.'40 This section therefore could be facilitating
surveillance over a period of time without the knowledge of the
person concerned. This is a grave infringement of the civil rights of
citizens, particularly where the subjective satisfaction of the
controller that such surveillance is required is all that it takes.

The controller has been granted very wide discretionary powers and
absolutely no guidelines, checks or balances have been provided to
determine the 'satisfaction' of the Controller.

A paltry attempt has been made in section 72 to bring some
responsibility into the system. The section deals


save as otherwise provided in this Act or any other law for the time
being in force, if any person who in pursuance of any of the powers
conferred under this Act, rules or regulations made thereunder, has
secured access to any electronic record, book, registers
correspondence, information, document or other material without the
consent of the person concerned discloses such electronic record,
book, register, correspondence, information, document or other
material to any other person shall be punished with imprisonment for
a term which may extend to 2 years or with fine which may extend to 1
lakh rupees or with both.


This measure has been dismissed as paltry because under this section,
misconduct has to be proved whereas suspicion is enough for
sub-sections (2) and (3) of section 69 to apply. Further while
sub-section (3) of section 69 punishes a subscriber with seven years
imprisonment, this section imposes a mere two-year imprisonment on an
official of the state who owes a greater responsibility to both the
state and the people.

Further, various provisions in the act will make it next to
impossible to prove anything under this section and they are dealt
with as under.

Immunity to Officials Under this Act


Section 82: Controller, Deputy Controller and Assistant Controllers
to be public servants.
The presiding officer and other officers and employees of a cyber
appellate tribunal, the Controller, The Deputy Controller and the
Assistant Controllers shall be deemed to be public servants within
the meaning of section 21 of the IPC.
It has been argued that it is not clear whether this is sufficient to
bring it within the ambit of The Prevention of Corruption Act.
What is far more worrying is section 84 which reads thus:
No suit, prosecution or other legal proceedings shall be against the
central government, the state government, the controller or any
person acting on behalf of him, the presiding officer, adjudicating
officers and the staff of the cyber-appellate tribunal for anything
which is in good faith done or intended to be done in pursuance of
this Act or any rule, regulation made thereunder.


This blanket exemption successfully thwarts any attempt at making
these officials accountable. Absolutely anything done can be passed
off under the 'good faith' clause.

A meagre effort is made by requiring reasons to be recorded for most
actions to be taken under this act. But apart from the fact that the
courts are going to be flooded with cases requiring that actions of
controllers be struck down.

Adjudication

Section 46 provides for an adjudicating officer to be appointed by
the central government from the executive for "holding an inquiry in
the manner prescribed by the central government". The adjudicative
mechanism envisaged has two major problems. One it is an extension of
the executive and two there is nothing to suggest that any ordinary
citizen can invoke it.

Section 48 provides for the establishment of a cyber-appellate
tribunal by the central government and Section 49 makes it clear that
such tribunals shall consist of one member only. A member from the
Indian Legal Service, a sitting or retired high court judge or any
member qualified to be a judge of the high court will be named
presiding officer. This can create severe problems as the member may
not be a technical man. Matters under this act are essentially
technical and such expertise needs to be represented on the tribunal.
Section 62 provides for appeal from the CRAT to the high court.
Litigation explosion is going to be a definite feature under the
provisions of the Act when more and more people who feel they have
been wronged by the arbitrary use of the executive's powers throng
the corridors of the court for redressal of their grievances. The
fact that the ordinary courts are absolutely not equipped to deal
with technical issues is only going to complicate matters.

VI
Conclusion

The Information Technology Act raises very real concerns. It
demonstrates a legislature deeply sceptical of the internet, rooted
in the conventions of the past, yet battling with the need for an
information technology law in the present-day circumstances. This
straddling of the known and the unknown has strange results. In its
desperate need to bring in some security for activity on the net, it
relies heavily on the executive, little realising that it can result
in violation of civil rights particularly in light of India's
infamous emergency. The absolute control it attempts to achieve over
certifying authorities is worrying for the same reason. The act lacks
balance.

While it is stated in the preamble that the act has been passed "to
facilitate electronic filing of documents with government agencies",
reading the act makes one question whether the government has thought
through on what it attempts to do with the act. The World Bank and
UNCITRAL are pushing through e-governance and e-commerce laws with
great enthusiasm and India has with equal alacrity jumped onto the
bandwagon. But the fact remains that though Indians are spearheading
the IT revolution around the world, the internet in India is in its
nascent stage. If India is attempting to put in a regulatory
framework while going online, it is a commendable move, only the
execution has worked out all wrong. Section 5 recognises digital
signatures and Section 6 allows digitally signed dealings with the
government. But for the ordinary middle class taxpayers, getting a
digital signature under the act involves far too much hassle, too
little security and the threat that they could be under government
surveillance without their knowledge.


The line between the real world and the mechanical world is becoming
more and more blurred every day. But it is not that humans are
turning into automatons or becoming slaves to machines. No, we are
simply growing towards each other. In the Blue Nowhere machines are
taking our personalities and culture - our language, myths,
metaphors, philosophy and spirit.41


It becomes important, in this context, for any law-making body to
think through on what the consequences of its actions will be. The
issue of privacy is a serious one which the Act impacts on very
unfavourably as the appendix reveals.

The Information Technology Act 2000 needs some serious reworking. The
government needs to ask itself whether the answer to the insecurity
to the net lies in the brute force of the executive. If e-governance
is about facilitation, the ITA seems to be about complication.

Address for correspondence:
sruti_c at yahoo.com

Notes

 1 Deaver, Jeffrey; The Blue Nowhere; Pocket Star Books
 2 "Digital and Electronic Signatures"
http://members.aol.com/Winchel3/Links/Legal/Signatures/SignaturesLegalLinks.htm
 3 Prannoy Roy hosted a talk show on BBC about the Y2K issue in which
Sabeer Bhatia participated. Sabeer Bhatia is CEO Arzoo.com.
 4 Dhar, Ravi Kumar "State Surveillance, Citizens' Civil Rights and
Cyber Crime: Indian Information Technology Act-2000 in Retrospect";
http:/jcmc.huji.ac.il/vol2/Issue1/intro.html
 5 A/RES/51/162 dt 30th January 1997.
 6 Article 5: Legal Recognition of Data Messages
Information shall not be denied legal effect, validity or
enforceability solely on the grounds that it is a data message.

This principle is intended to be of general application and therefore
does not establish the effectiveness, validity or enforceability of a
data message. It embodies the doctrine of 'functional equivalence -
that there should be no disparity of treatment between data messages
and paper documents. "The form in which certain information is
presented or retained cannot be used as the only reason for which
that information is denied legal effectiveness validity or
enforceability."
Article 6: Writing
(1) Where the law requires information to be in writing, that
requirement is met by a data message if the information contained
therein is accessible so as to be usable for subsequent reference.
(2) Paragraph 1 applies whether the requirement therein is in the
form of an obligation or whether the law simply provides consequences
for the information not being in writing.
(3) The provisions of this article do not apply to the following [Š]
Article 6 concentrates upon the notion of information being
reproduced and read. The advantages stated in favour of written
documents are that they can be accessed in the original at any time
for subsequent reference. The use of the word 'accessible' in Article
6 is intended to mean that information in the form of computer data
should be readable and able to be interpreted, and that the software
that might be necessary in order to satisfy those requirements may
need to be retained. The word 'usable' is intended to cover not only
human use but also computer processing. The requirement of
'subsequent reference' was preferred to 'durability' or
'non-alterability' both of which were understood to have limited
application with regard to paper, and 'readability' and
'intelligibility' which were passed over as too subjective as
standards.
 7 Ryder, Rodney D.; Guide To Cyber Laws (Information Technology Act,
2000, E-Commerce, Data protection and the Internet); Wadhwa; p 364.
 8 This section corresponds to Article 7 of the UNCITRAL Model Law: Signature


(1) Where the law requires the signature of a person, that
requirement is met in relation to a data message if
a) A method is used to identify that person and to indicate that a
person's approval of the information contained in the data message;
and
(b) that method is as reliable as was appropriate for which the data
message was generated or communicated, in light of all the
circumstances, including any relevant agreement.
   (2) Paragraph 1 applies whether the requirement therein is in the
form of an obligation or whether the law simply provides consequences
in the absence of a signature.
   (3) The provisions in this article do not apply to the following
[Š] Paragraph 1(a) establishes the principle, that in an el
ectronic environment, the basic legal functions of a signature are
performed by way of a method that identifies the originator of a data
message and confirms that the originator approved the content of that
message. Paragraph 1(b) establishes a flexible approach to the level
of security to be achieved by the method of identification used under
Paragraph 1(a). In determining whether the method used under
paragraph 1 is appropriate legal, technical and commercial factors
should be taken into account. The examples listed are:
(I) The sophistication of the equipment used by each of the parties
(II) The nature of their trading activity
(III) The frequency at which the commercial transactions take place
between the parties
(IV) The kind and size of the transaction
(V) The function of signature requirements in a given statutory and
regulatory environment
(VI) The capability of communication systems
(VII) Compliance with authentication procedures set forth by intermediaries
VIII) The range of authentication made available by the intermediary
(IX) Compliance with trade customs and practices
(X) Existence of insurance coverage mechanisms against unauthorised messages
(XI) The importance and value of the information contained in the data message
(XII) The availability of alternative methods of authentication and
the cost of implementation
(XIII) The degree of acceptance or non-acceptance of the method
of identification in the relevant industry or field both at the time
the method was agreed upon and the time that the data message was
communicated; and
(XIV) Any other relevant factor
This article establishes a basic standard of authentication both in
circumstances where national laws leave issues of authentication
entirely up to contracting parties to decide and where requirements
for signature are set by mandatory provisions of national law which
are not subject to alteration by agreement of the parties.
Article 7(3) is similar to article 6(3) in that it allows national
legislatures to exempt specific instances from the operation of these
provisions for the model law recognises that there may be good
reasons for specifying instances where it is not appropriate for an
electronically signed document to have the same effect as one with a
hand written signature as in the case of wills and negotiable
instruments.
 9 This section corresponds with Article 10 of the UNCITRAL model law
titled 'Retention of Data Messages:
(1) Where the law requires certain documents, records or information
be retained, that requirement is met by retaining data messages,
providing certain conditions are satisfied:
(a) the information contained therein is accessible so as to be
usable for subsequent reference
(b) the data message is retained in the format in which it was
generated sent or received, in a format which can be demonstrated to
represent accurately the information generated, sent or received; and
(c) such information, if any, is retained as enables the
identification of the original and destination of data message and
the date and time when it was sent or received.
(2) An obligation to retain documents, records or information in
accordance with Paragraph (1) does not extend to any information the
sole purpose of which is to enable the message to be sent or received.
(3) A person may satisfy the requirements referred to in Paragraph
(1) by using the services of any other person, provided that the
conditions set forth in sub-paragraphs (a) (b) (c) of Paragraph (1)
are met.
This Article establishes a set of alternative rules for existing
requirements regarding the storage of information. Paragraph (1) sets
out conditions under which data messages can be stored. Sub-paragraph
(a) reproduces conditions established under article 6 for a data
message to satisfy the requirement of 'writing'. Sub-paragraph (b)
emphasises that the message need not be retained unaltered as long as
the information stored accurately reflects the data message as it was
sent thus recognising that messages may have to be decoded or
compressed or converted in order to be stored. Sub-paragraph (c)
insists that transmittal information which may be necessary for the
identification of the message be stored.
Sub-paragraph (c) establishes a distinction between those elements of
transmittal information that are important for the identification of
the message and those covered by paragraph (2) which are of no value
with regard to the data message and which will automatically be
stripped out of an incoming data message by the receiving computer
before it actually enters the information system of the addressee.



10 Kamath, Nandan; Law Relating to Computers, Internet and
E-Commerce- A Guide to Cyberlaws; Universal Law Publishers; p 109.
11 Ibid; p 109.
12 Basu, Subhajit and Jones, Richard "Legal Issues Affecting
E-Commerce: A Review of the Indian Information Technology Act, 2000";
http://www.bileta.ac.uk/02papers/basu.html
13 supra n 10, p 118.
14 Therefore the key has to be securely transmitted to the addressee
in order to enable him to be able to read the message. Here lies the
primary disadvantage of the system - if the key can be securely
transmitted, so can the message! Further, there has to be some method
of ensuring that encrypted messages can be recovered if the private
key is lost - retaining the technology to do so makes it easy for
hackers. Further where there are a large number of users who will
have to access the system, secret key cryptography is potentially
unsafe because the risk of the key falling into the wrong hands is
greater; ibid, pp. 118-119
15 Sood, Vivek; Cyber law Simplified; Tata McGraw Hill Publishing Co, p 443.
16 supra n 12.
17 Vishwanathan, Suresh T; The Indian Cyber law; 2nd Edition; Bharat
Publishing House, New Delhi, 2001; p 42.
18 Mittal, D P; Law of Information Technology (Cyber law), Taxmann, p 52.
19 supra n 12.
20 Greenleaf, Graham "Privacy Implications of Digital Signatures";
http://www.anu.edu.au/people/Roger.Clarke/DV/DigSig.html
21 Lemos, Robert "Digital signatures a threat to privacy?";
http://zdnet.com.com/2100-11-519795.html?legacy=zdnn
22 supra n 4.
23 supra n 21.
24 Ibid.
25 supra n 22.
26 Ibid.
27 Ibid.
28 supra n 21.
29 supra n 4.
30 Kaner, Cem "The Insecurity of the Digital Signature";
http://www.badsoftware.com/digsig.htm
31 supra n 21.
32 schneier, Bruce "Why Digital Signatures Are Not Signatures";
http://www.counterpane.com/crypto-gram-0011.html
33 supra n 10, p 119.
34 Ibid, p 119.
35 Ibid, p 120.
36 supra n 33.
37 Berst, Jesse "Sign of Trouble: The Problem With E-Signatures";
http://www.zdnet.com/anchordesk/stories/story/0,10738,2604099,00.html
38 supra n 4.
39 supra n 12.
40 supra n 12.
41 supra n 1, p 75.

More information about the reader-list mailing list