Upload File

amendment to it act

prev
next
out of 25
Download Amendment to IT Act

Upload: davesonthangaveluramanathan

Post on 07-Jan-2016

12 views

Category:

Documents


0 download

Report

Tags:

DESCRIPTION

Suggestions for amendment to it act

TRANSCRIPT

India does not require an IT Act

Observations on the Proposed Amendments to the

IT Act, 2000

By

Vijay Mukhi and Karan Gokani

THE ALL INDIA ASSOCIATION OF INDUSTRIES

AIAI

Observations on the Proposed Amendments to the

IT Act, 2000

Stirred by the recent data theft cases that have hit the international headlines, and fearing the devastating repercussion these may have on the BPO Industry in India, an Expert Committee appointed by the Central Government has proposed several amendments to the Information Technology Act 2000 (IT Act). However the Amended IT Act that awaits parliamentary approval is merely a piecemeal attempt to amend the original one. What may have well been a more profitable venture, considering the failure of the previous Act, would have been a rewrite of the entire Act while simultaneously revamping the system of law enforcement that applies to IT related offences in India.

In a country like India, where the Business Processes Off-shoring (BPO) Industry is growing so rapidly, it is crucial that there is a strong and reliable system of enforceable legislation to reinforce customer confidence. The most realistic way of establishing such a system, keeping in mind the distinctive features of our legal system would be by updating previous well established laws to apply to the existing circumstances, in conjunction with legislating new laws, guidelines and rules on matters that the prevailing laws would not be able to relate to. Thus, ideally, the IT Act should be an umbrella act, under which various other auxiliary legislations should coexist. The recently amended IT Act tries to achieve this by vesting power in the Central Government to frame rules and guidelines on various issues so as to make the new Act resistant to technological changes. But unfortunately as a result of this approach certain key areas tend to be rather vague and undefined.

Observations on the Proposed Amendments to the IT Act, 2000 aims at analysing the proposed IT Act while debating the relevance of certain provisions, and suggesting possible alterations and additions. The paper will discuss the feasibility of the IT Act, as a single, all encompassing statute in the present-day IT scenario in India. Moreover the paper makes recommendations on several issues such as mobile phone cloning, the standard of due diligence for Cyber Caf, ISPs and Corporations, and other vital issues that have been overlooked by the new Act.

THE PREVAILING ACT: WHERE THINGS WENT WRONG

Rather than focussing on the fine-tuning of the IT Act, we need to focus on the conviction of Cyber Criminals. For this we need to establish a system where the courts, the law enforcement machinery, and the citizens are equal stakeholders.

Recently there has been a flurry of articles and comments criticising the IT Act and the Cyber Law enforcement machinery in India. However what would strike one as rather shocking is that the lack of awareness, lack of technological knowledge and lack of judicial officers is not the primary reason for the failure of the IT Laws in India, but the lack of attention given to the collection of electronic evidence that has lead to this.

The IT Act, is probably the only Act which has survived five years since its legislation, with less than five criminal convictions accredited to it.

A Failed Legislation ?To ensure convictions of criminals, we need to establish a system of Cyber Regulation and Justice. One would think that this could easily be realized by simply adapting the provisions of the existing IT Laws of foreign countries to suit the Indian circumstances. While such an approach will ensure an excellent legal framework, in practice, the grass root difficulties that are unique to the Indian scenario will continue to obstruct the administration of justice. Problems such as that of collection of electronic evidence, maintenance of authentic logs and technological difficulties will frustrate a case every time it reaches the courts.

In fact it is these and other such issues that the IT Act fails to address, which have eventually lead to its failure.

What We Believe to be the Primary Causes of the Failure of the IT Act 2000

The IT Act was expected to ensure the end of Cyber Crime in India. Such a high expectation itself spelt the doom of this legislation. It must be understood that no single Act (no matter how well legislated) can satisfactorily address all the issues pertaining to Information Technology and Cyberspace. Thats precisely where the Act and its critics went wrong. The attention, instead of being solely on legislating the IT Act, should have simultaneously been on establishing a system to enforce its provisions.

It is a well-known fact that the legislation of the IT Act was an effort to strengthen International Trade Relations. In fact it was to be called the ECommerce Act and the ambit of this Act was to span issues solely related to ECommerce. However what was ultimately enacted was a law governing the entire IT Sector. This probably is one of the reasons for the IT Acts undue focus on ECommerce, and its haphazard approach to address conventional cyber crime issues.

The IT Act errs in so far as it tends to be technologically specific while dealing with certain terms and issues. A better approach would have been to allow the courts to define and update these terms in keeping with the constant change in technology.

Cyber Crime Investigation and Collection of Electronic Evidence should have been central issues in the Act, but unfortunately have received far less than their due share of attention.

Lack of frequent issuing of Rules and Guidelines by the government has lead to the IT Act functioning only as a framework legislation, without any real substance.

THE PROPOSED ACT: A CRITICAL ANALYSIS OF CERTAIN SIGNIFICANT SECTIONSSection 1(2): Extent of the Act

The application of the Act extends to the whole of India and to any offence or contravention committed outside India by any person.

Instead of taking such a brave stand, the Act should have adopted a more realistic approach and laid down provisions to establish a National Cyberspace Regulatory Authority that kept a consolidated record of the logs of all ISPs in the country, so as to be able to facilitate the exchange of evidentiary information between state police forces. Such an Authority could also play an important role in fostering mutual relations between various nations, to facilitate the exchange of ISP logs and other vital information between them.

Such an approach would work towards securing the conviction of Cyber Criminals who try to route their activities through foreign nations so as to complicate investigation efforts and seek refuge under hostile legal systems. This would in effect realise the sentiment conveyed by Section 1(2), more fruitfully, by bringing criminals to book for contravening the provisions of this Act.

Section 1(4): Application of the Act

The classes of documents that were excluded from the ambit of the Act have been included under the proposed amendments. This move will encourage the growth of E-Governance in India. Also such a step sends out a positive signal, as it signifies that the governments outlook is changing, and it is working towards the digitization of records and documents. This provision may also help to bring about transparency in the functioning of the government.

Section 2: Definitions

The Definitions Section determines the scope and success of any legislative effort. This dictum becomes even more pertinent in the case of an Act purporting to legislate on a complex subject such as Technology. It is essential that the definitions be carefully framed leaving them Technologically Neutral. Additionally they should be framed in a manner that will allow the courts to interpret and adapt the definition of technical terms on a case-by-case basis. While the present Act attempts to do this in most cases by empowering the Central Government to prescribe guidelines and rules, it tends to get too vague while defining certain terms such as Data which is defined as a representation of Information, while the definition of Information includes the term Data. Hence this cross-reference between the two sections fails to define the term Data, which is one of the most crucial terms in the Act.

Additionally, the definition of Originator restricts the application of this term to a person when it may well be the case that a computer program or intermediary could be the originator of an electronic message. On the other hand, in an attempt to leave certain definitions open for future modification, certain terms have been defined so vaguely that they fail to have any significance. For instance, the term Cyber Caf could be interpreted to be a computer training institute where students are given internet access for course work, or a corporation where employees are allowed to use their computers to access the company website or to send emails to clients, or a coffee shop that allows its clients access to Wi-Fi internet and in a particularly ridiculous situation even to an entire business locality which is covered by a Wi-Fi network.

Section 4 and Section 5: Legal Recognition of Electronic Signatures and Authentication of Electronic Records by Electronic Signature

Electronic Signatures have been recognised by the Act, in place of Digital Signatures. This is an attempt to make the Act technologically neutral, and is a welcome change. However the effect of this section is watered down by Section 5 which stipulates that until the Central Government prescribes another form of Electronic Signature to be used, Digital Signatures are to be used for the authentication of documents.

Section 10: Formation and Validity of Contracts

The new Section 10 (under Chapter IIIA) recognises the formation and validity of Electronic Contracts by means of electronic records. The inclusion of Chapter IIIA will be a boost to E-Commerce, and is a welcome addition to the Act,

Section 12: Acknowledgement of Receipt

The section provides that where the originator has stipulated that the electronic record shall be binding only on receipt of an acknowledgement of such electronic record by him, then unless acknowledgement has been so received, the electronic record shall be deemed to have never been sent by the originator. For a better understanding of this section, a reference must be made to Section 2(1)(s) which defines electronic record as data, record or data generated, image or sound stored, received or sent in an electronic form or micro film or computer generated micro fiche. Hence in light of the above sections, it is clear that Section 12 can have a damning effect on electronic evidence in a court of law, and therefore can be misused by cyber criminals.

For instance, X sends a pornographic image as part of an email message to Y, containing a clause stating, if no acknowledgement is given within five minutes of receipt of this email message the email message will be deemed never to have been sent. If Y does not acknowledge receipt of the email message within five minutes of receiving the email message, the email message will be deemed not to have been sent, hence even though the message actually resides upon the computer of Y, it cannot be used as evidence to prosecute X.

Therefore the inclusion of such a section in the Act is rather absurd, and can have severe ramifications.

Section 19: Recognition of Foreign Certifying Authorities

This section provides that the Controller of Certifying Authorities can, with the previous approval of the Central Government, and in accordance with the conditions and restrictions that may be prescribed by regulations, recognise any foreign Certifying Authority as a Certifying Authority for the purpose of this Act.

It is therefore essential for the Controller to implement the provisions of this section expeditiously, in order to facilitate E-Commerce with foreign clients.Section 20: Controller to act as a Repository (deleted)

This section has been deleted. Thereby under the proposed Act, the Controller is no more the repository of all Electronic Signatures. This function has been handed over to the Certifying Authority, as it is believed that this section placed an unnecessary legal obligation on the Controller in case of a disputes between Certifying Authority and Subscriber, and additionally the practice of making the Controller the repository of Electronic Signatures is not being followed anywhere else in the world.

While the effect of this amendment cannot be predicted at present, it may prove to be a difficult task in the future to keep a consolidated record of all the public keys issued by the various Certifying Authorities.

Section 43: Compensation for Damage to Computer, Computer System, etc.

This section may be said to impose a strict liability as no intent or knowledge is required by the actor. Hence even when the victim suffers no damage or harm, the person committing any of the acts enumerated under this section can be held liable. Likewise, even an innocent may be directed to pay damages for a mistaken act of his. Therefore to avoid such an unfair situation, the section must be amended to include damage or injury to a computer resource, as a condition for damages.

The provisions listed under this section are analysed below:

At the outset, it must be noted that Explanation (vii) to the section clearly states that without the permission of the owner shall include access to information that exceeds the level of authorized permission to access.

In Subsection (1), Clause (a) the term accesses is defined very generically and could be interpreted to include acts like port scans, or an attempt to crack passwords. Hence this subsection is a catchall section and can be effectively used by enforcement agencies to book cyber criminals.

Subsection (1) Clause (c) talks about computer viruses and contaminants. Here the term contaminant is extremely wide, and may also be applied to include computer viruses, Spyware or key loggers. In fact the term is so vague that it may even be applied to any software program installed without the permission of the owner that slows down the system, even marginally.

Subsection (1) Clauses (d), (e), (f) are very similar and can be made to apply to acts such as Denial of Service Attacks, installation of software applications that use up system resources, or even changing of a file name or file location in memory.

Subsection (1) Clause (h) deals with password theft and subsequent misuse, credit card frauds, identity theft cases, etc.

Subsection (2) in practice is an impotent section, and only aims at giving a fake sense of security to foreign investors and MNCs who are apprehensive of investing in India, at present, as a result of the absence of Data Protection Laws.

Section 46: Power to Adjudicate Regarding Compensation and Penalty

This section provides that in the case of a contravention under the Act or any rules, regulations, directions or orders made there under, which renders a person liable to pay a penalty or compensation, an inquiry shall be held by an officer appointed by the Central Government, subject to certain provisions of the Act.

This provision makes it clear that besides the Adjudicating Officer, no person may investigate or inquire into any Contravention involving a pecuniary penalty or compensation for damages. Therefore it is essential to immediately appoint such officers exercising designated jurisdiction across the country, without delay, in order to facilitate the reporting and inquiry of contraventions. Without such a system, provisions of the Act such as Section 43 become ineffective.

In this regard it is interesting to note that even though this provision has been carried forward from the prevailing Act without any amendments, till date the Central Government has appointed only one Adjudicating Officer for the entire country, who is based in Delhi!

Chapter X: The Cyber Appellate Tribunal

The Act provides that Cyber Appellate Tribunals are to comprise of only one officer. It would have been a better idea to increase the constitution of this body to three or more officers, with at least one being an expert in technological issues.

Section 65: Tampering with Computer Source Documents

This section has been carried forward without amendment, and makes provisions in respect to Computer Source Code, which is required to be kept or maintained by law for the time being in force. However interestingly, there has been no such law in force since the enactment of the IT Act in 2000. Hence in practice, this section is futile.

Section 66: Computer Related Offences

This section is the successor to the section on Hacking. While this section is rather wide in its ambit, and covers most cyber crimes, the use of the words dishonestly and fraudulently instead of with the intent to cause or knowing that he is likely to cause, dilutes the effect of this section substantially. By using this term, the section only holds a person guilty for an intentional act, and fails to have any effect in the case of an act done with his knowledge but without intent.

Consider the following illustration:

A software consultant is hired to install a software application on someones computer, and he starts installing the same without reading the installation instructions. Upon installation the computer automatically reboots, and the owner of the computer loses vital unsaved data. Here the software consultant installing the software has caused damage to the owner of the computer without his permission. Yet Section 66 will not apply, as his act is not a dishonest or fraudulent one, it is a result of his negligence. If however the words used by the section were intent and knowledge the consultant would have been held liable, as owing to his qualification of being a computer consultant it can be assumed that he had the knowledge that by installing the software the system may automatically reboot, thereby causing a loss of unsaved data.

Hence section deviates from the traditional test of mens rea, which holds that a person is equally liable for his omissions as he is for his acts.

In addition, the amended section prescribes a lesser penalty for offences, stipulating a maximum period of one year imprisonment for offences under Sub section (1) and two years under Subsection (2), as opposed to the earlier penalty for hacking which was imprisonment for a maximum term of three years. Such a reduction of penalty cannot possibly help to deter criminals; hence the rationale behind such a move is questionable.

Section 67: Publishing in Electronic Form of Information which is Obscene

This section imposes a strict liability on any person who publishes or transmits or causes to be published in the electronic form any pornographic material, as it makes no mention of his having had the intention or knowledge of doing so. Such a provision can prove to be rather severe, as a person may be held liable for publishing pornographic data, without his knowledge. Taking for instance, a computer virus which affects a persons email client, and sends out pornographic pictures to all the addresses in the address book, or an innocent hyperlink which directs a person to a webpage, which in turn causes various pornographic web pages to pop-up.

The implications of this section can be stretched further to include an offensive joke sent to a person through an SMS or email, for which he could be held liable under this section!

On the other hand it is difficult to understand why the maximum term of imprisonment for publishing pornography has been reduced from five years to two years on first conviction, and from ten years to five years in the case of a subsequent conviction.

However the second subsection that provides a stricter penalty for publishing child pornography, is a welcome addition and tackles a social issue of great relevance in recent times though the words intentionally and knowingly should be rephrased to read intentionally or knowingly.

It is also interesting to note that under this section, a person cannot be held liable for viewing pornographic material. Even the rather far fetched contention that by viewing a webpage, a cache of the page is created on the computer memory, is not applicable anymore, as it is a well established legal custom all over the world today, that a cache in memory is not constituted as downloading or transmitting of data.

Section 68A: Encryption and Other Technologies for Security of Data

This section is a welcome change, and will help E-Commerce, if the Central Government fulfils its duty of prescribing modes or methods for encryption from time to time.

Section 69: Power to Issue Directions for Interception or Monitoring or Decrypting of any Information through any Computer Resource

The amended section provides that only the Central Government may issue directions to intercept communications, as compared to the original section under which even the Controller of Certifying Authorities was empowered to do so. Such a change has probably been made with a view to prevent the misuse of this power. But a better approach would have been to continue this power, while simultaneously prescribing harsh penalties for its abuse.

The amended section also aims at removing for preventing incitement to commission of a cognizable offence as a reason for interception. This amendment will dilute the effect of the section and will handicap the law enforcement agencies.

Subsection (3) and (4) provide that the subscriber or any person in-charge of the computer resource may be called upon to extend all facilities and technical assistance to decrypt information or provide access to the computer resource being investigated. Under these provisions a person could be forced to disclose his password or to disclose the location of incriminating files on his computer, and could thereby be made to incriminate himself. Hence this provision strikes up the debate as to whether a person can be compelled by law to incriminate himself.

Section 70: Protected System

This section defines a Protected System as a Computer, Computer System or Computer Network that has been declared so by a Central Government Notification. This system unnecessarily discriminates between Protected Computers and Other Computers. Such a distinction is unfair and would be similar to saying that the murder of a poor man would be looked at more partially as compared to that of a rich man. Hence it is futile to bring in this distinction, as all systems should be considered to be protected systems for the purpose of the Act, and unauthorised access to any system must be penalised strictly.

Section 72: Breach of Confidentiality and Privacy

This section addresses the critical issues of Confidentiality and Privacy. It is apparent that this addition is a reaction to the recent spate of data theft and pornographic MMS cases. However the Subsections (1) and (2) prescribe intentionally and intention to cause injury as the requisite mens rea for the offence of disclosing evidence respectively. Hence the section overlooks constructive knowledge, and negligence, which make a person equally culpable.

Hence for example a BPO employee who has access to a list of credit card numbers along with their respective owners names sends such a file (titled Card Information) as an attachment to a client under the impression that the file contains some other information. He cannot be held liable under Section 72(2) as he did not send the file with intent to cause injury to the credit card holders. However if the section used the words with the intent or knowledge that injury may be caused the employee could be held liable for failing to take due care to check the contents of the file, as he is expected to know that files containing sensitive confidential data are stored on his computer.

Subsection (3) is too specific as it restricts itself to the private area of an individual and uses terms such a broadcast, capture and under circumstances in which that individual has a reasonable expectation of privacy. Rather than being defined so clearly specified, these terms should have been left to the interpretation of the court.

Subsection (4) makes a reference to an aggrieved person, which is a rather vague term. Until such a term is well defined people will not be aware of their rights and responsibilities, which is undesirable. For instance, if a person photographs a minor girl, without her knowledge, while she is swimming in a private swimming pool, can the parents of the girl be aggrieved persons, or is she alone an aggrieved person authorised to file a complaint under the act?

This section should have also specifically included provisions concerning unsolicited calls and messages, camera phones, Spam email messages, validity of sting operations and the recording of voice messages.

Section 73: Penalty for Publishing Electronic Signature Certificate False in Certain Particulars

While the title of this section states penalty for publishing Electronic Signature Certificate false in certain particulars the working part of this section restricts the scope of the term false in certain particulars to three particulars. The section would have been better left vague, so as to be interpreted at the discretion of the courts.

Section 78: Power to Investigate Offences

This section stipulates that all offences under the Act can be investigated by a police officer having the rank of Deputy Superintendent of Police or above. This criterion is baseless, as the power to investigate must not be determined by the rank of an officer, but on the basis of his knowledge of technology and his experience of carrying out investigations dealing with electronic evidence.

Chapter XIA: Examiner of Electronic Evidence

This chapter is a welcome addition to the act and if properly implemented will go a long way in securing the conviction of Cyber Criminals.

Section 79: Exemption from Liability of Intermediary in Certain Cases

This section may well be one of the most controversial amendments proposed. The principal flaw in this section is that the concept of an Intermediary is defined very widely and can be interpreted to include Cyber Cafes, Online Marketplaces and Search Engines.

It goes further to absolve intermediaries of all the requirements of due diligence. Such a blanket protection to intermediaries is undesirable; as such a lack of accountability of intermediaries may inculcate fear in foreign clients and thereby impact the BPO industry adversely.

Moreover, placing the burden of proving that the intermediary has conspired or abetted in the commission of a contravention, on the complainant is rather unreasonable, as an ordinary person would not have access to electronic records, user logs and other vital information to prove the guilt of the intermediary.

Section 80: Power of Police Officer and Other Officers to Entry, Search, etc.

The original Section 80, that relates to Entry, Search and Arrest without a warrant by an officer not below the rank of Deputy Superintendent of Police, has been dropped by the amended Act. Hence police officers will be required to secure a warrant for entry, search and arrest during the investigation of cognizable or non cognizable offences. Such a provision would be unfeasible, keeping in mind the volatility and delicate nature of electronic evidence, which can be rendered untraceable in the matter of a few minutes by a criminal who has been tipped that an investigation is to be carried out on his machine.

Rather than adopting this approach to prevent misuse of the powers by the police officers, the Act should have focussed on training the Police officers involved in Cyber Crime Investigations, and imposing a harsh penalty for abuse of these powers.

Section 85: Offences by Companies

The amended Section 85 shifts the burden of proving that a member of the Company had knowledge of and had connived in the commission of a contravention, upon the prosecution. Hence this section protects the high-ranking officials of a Company, who, under the prevailing Act, can unnecessarily be dragged into a case involving a contravention of the provisions of the Act, without any fault of theirs. By doing so, this section upholds the legal principle that a person is assumed to be innocent, until he is proven to be guilty beyond reasonable doubt.

Section 88: Constitution of Advisory Committee

This section like chapter XIA has tremendous potential to establish an effective system of IT Law in India. However in order to be effective the Advisory Committee should be established expeditiously, and its advice should be carefully considered and given effect to by the Central Government especially on issues relating to the issuing of guidelines, orders, rules and updating the Act to be at par with technological changes.

OBSERVATIONS ON CERTAIN CRITICAL ISSUESCyber Crime Jurisdiction: A Sticky Wicket

The IT Act envisages Extraterritorial Jurisdiction over Cyber Crimes. Hence a reading of Section 1(2) and Section 75 of the Act shows that the IT Act provides wide sweeping powers to the Indian courts to try cyber offences committed from any computer, computer system or computer network located in India. Moreover, an Indian court may prosecute any person, irrespective of his nationality, if he is found to be guilty of committing a cyber crime whose effect is felt in India. This implies that if an individual located in a foreign country commits a cyber crime in another country through a computer located in India, he will be guilty under the IT Act and will be liable for prosecution by the Indian courts.However in effect these provisions are rather impractical, as it is extremely difficult for Cyber Crime Investigators in India to obtain information and evidence from foreign ISPs. Similarly, police officers of one state often pass the buck onto the officers of another state, thereby delaying and inconveniencing the victim.

Hence there is an instant need for a system where such difficulties are ironed out (refer to comments on Section 1(2): Extent of the Act, found on Page 4)Theft or deletion of data by an employee from his workplace

If an employee copies data from a computer on a floppy, CD Rom, on flash memory or any other device, or deletes any data from a computer which he did not have the permission to use, he can be held liable under Section 43 of the Act, and if he does so dishonestly or fraudulently, he can also be held liable under Section 66.

Voyeurism

A person installing a voyeur camera in a hotel room, by means of which a person is filmed having a bath, is liable under Section 72. If this film is then broadcast by means of an SMS or MMS message, or via email/bluetooth/infrared, the person transmitting the message is liable under Section 72 and Section 67. Taking this illustration a step further, if this message is then forwarded by the recipient to another person by any of the abovementioned means, he too will be liable under Section 72 and Section 67.

Forwarding of Obscene Messages

A person forwarding obscene text, images or sound messages by means of an SMS, MMS, email message, Bluetooth or Infrared, or any other such means of electronic transfer, may be held liable under Section 67. Moreover, as Section 67 does not require the person to have any specific intention, even an obscene joke sent to the wrong mobile number can land a person in jail!

Port Scanning

A port scan in simple words is an attempt, by means of a network connection, to find out what programs and software applications are being run on a computer.

Though this act is only a means of preparing to hack into a computer, it may be punished under Section 43(1)(a) which disallows a person to access a computer resource without the permission of the owner or person responsible for it; or similarly under Section 66(a)(i) if done dishonestly or fraudulently.

Penetration Tests

A penetration test is similar to a port scan, and is carried out to identify vulnerabilities on a computer. Hence a person conducting a penetration test without the permission of the owner may be held liable under Section 43(1)(a) which disallows a person to access a computer resource without the permission of the owner or person responsible for it; or similarly under Section 66(a)(i) if he does so dishonestly or fraudulently.

Password Theft

A computer password is usually encrypted and stored on the computer. Therefore the act of changing a password would make a person liable under Section 43 or Section 66 of the Act. However it is interesting to note that if a person sends an email message using another persons email account, from his own computer, he is not liable for any offence under the Act, as it fails to address this and other similar issues.

Misuse of Internet Account or Other Paid Service Account

If any person misuses the internet account or other such account, for which service another person is charged, he can be held liable under Section 43(1)(h) or even Section 66(b)(iii) (if he does so dishonestly or fraudulently) of the Act.

Phishing

Phishing is the act of stealing the online identity of another person. The act of Phishing alone is not punishable under the Act, only a subsequent damage, loss or fraud that is caused as a result of it may make the perpetrator liable under the Act or other penal provisions.

This issue should have been clearly addressed by the IT Act, especially since the incidence of gaming frauds, Nigerian frauds and other such crimes have increased manifold in recent times. Though one may argue that Phishing is an attempt to defraud someone, and therefore can be punished under the IPC, the unique nature of these crimes, the ease with which they can be carried out and the far-reaching consequence they could realize, calls for a specialised legislation (such as the IT Act) to deal with them.

Recording of Private Conversations

It is interesting to note that Section 72(3) restricts itself to the capturing or broadcast of an image of a private area of an individual without his consent. Therefore the act of recording a private conversation of an individual without his consent has not been made an offence under the Act.

While dealing with the issue of privacy of an individual, the Act should have included capturing of voice conversations and all private acts without the consent of the individual, rather than restricting itself to only visual images and that too of only the private parts of the individual.

Morphing of Images

This issue has been overlooked by the Act.

Disclosure of Personal Data

Section 43(2) makes a company, firm or other association responsible for the safeguarding of any sensitive personal data that it handles. Therefore in the absence of a strong security if an employee discloses such data to any person who does not have a right to such data, the company, firm or other association may be held liable under this section.

Mobile Phone Cloning and IMEI Number Reprogramming

Though the Act does not specifically deal with these offences, a person can be held liable for cloning a mobile phone SIM Card or reprogramming the IMEI number without the permission of the owner or person responsible for the mobile phone under Section 43(1)(a) or even Section 66(a)(i) if he does so dishonestly or fraudulently. These sections may be applied, owing to the fact that a mobile phone falls well within the definition of a Computer resource.

Who is the Owner of a Computer Resource?

Where multiple users use a computer at home, it is difficult to ascertain who the owner of the computer would be for the purposes of Section 43 and Section 66. Hence for instance, if a man plants a key-logging device on a computer shared by him and his wife, to monitor his wifes activities, would he be committing an offence under the Act?

Hence the definition of owner must be clarified to address such situations.

Threatening or Defamatory Message and Cyber Stalking

The Act is silent on issues such as Cyber Stalking and defamatory or threatening messages (sent by email, SMS, posted on message boards, published as blogs etc). Though such acts can be penalised under the existing provisions of the IPC, it is essential to have a specific enactment to address these issues, as today, such offences can be committed with greater ease, and have far reaching consequences as a result of modern day technology. Hence the penalties must be equally reinforced to have a greater deterrent value.

Spam Messages and Phone Calls

The Act is silent on issues such as Unsolicited SMS messages, sales calls on the mobile phone and Spam email messages. These issues deal with Individual Privacy, and should have been included under Section 72 or as a new section in the Act.

Consultancy Issues

Under Sections 43 and Section 66 of the Act, a computer consultant or engineer can be held liable, for an act wherein he exceeds the permission given to him by the owner or any other person responsible for the Computer Resource.

Therefore such professionals must enter into explicit agreements disclaiming responsibility from such liability before carrying out any activity that is likely to infringe these provisions.

Blogging

Blogging has become an extremely popular means of expressing oneself. A blog posted online can be read by people all over the world, in a matter of seconds. In fact there are also search engines dedicated to carry out blog searches.

The IT Act fails to define and address this rapidly spreading phenomenon. Hence today it is unclear whether a blog will be looked at on the same lines as a newspaper, and to what extent the freedom of expression protects the blogger.

Writing of Malicious Code and Spyware Programs

Viruses, Worms, Trojans, Spyware etc, have increased proportionately with the growth of the Technology and the Internet. Today there are Viruses that can even destroy the mobile phone. Hence it becomes important to destroy this evil at the outset itself, and provide strict penalties for any person who creates such programs. Though such a penalty may appear to be rather harsh, considering his act is only that of preparation to commit an offence, it is essential to put in place such penalties, in order to deter people from committing such offences.

The Trojan Horse Defence

Julian Green, a divorced British male was arrested for allegedly viewing child pornography on his computer. The police seized his computer and found 172 pornographic pictures in memory. After 6 months of jail custody, when the court finally came to court, Green admitted that there was child pornography on his computer. But assigned the cause of this to a Trojan which had lodged itself on his computer and downloaded images from pornographic websites every time he connected to the Internet. He also pleaded that he had gone to great lengths to remove this malicious program but was unsuccessful. The police could not find any evidence to prove otherwise, and hence Green was set free.

In another British case, a seventeen-year-old hacker, Aaron Caffrey was arrested for having allegedly conducted a Denial of Service Attack on the Port of Houston. Like Green, Caffrey too claimed that the attack was the work of an attack script run from his computer by a Trojan. However in this case, he claimed that the Trojan had destroyed all traces of itself after conducting the attack. He even went ahead to say that this Trojan had been placed on his machine by other hackers who envied his success as a hacker, in an attempt to frame him. Hence even though the police found no evidence of the Trojan on his computer, the courts had no choice but to set him free, as he could not be proven guilty beyond a reasonable doubt.

The cases discussed above are glaring examples of how a legislative enactment alone is not enough to regulate and prevent Cyber Crimes. In both these cases the accused was set free even though the law on the subject was well defined. Hence such cases highlight the crucial role played by Electronic Evidence in any Cyber Crime case. The procedure for collecting Electronic Evidence, and the Technological training given to the investigators plays a crucial role in the trial. Moreover the laws must evolve in tandem with changing technology, failing which they will become ineffective.

Man or Machine

In one interesting case, an employee who had just resigned from his job was arrested for stealing the companys confidential data, and supplying it to his new employers. After a thorough forensic investigation of his portable PC, it was found that he did have certain confidential information, which he had deleted. Committing a crime and trying to cover it up is a grave offence. However the ex-employee pleaded that the data had been stored on his portable legitimately while he was employed by the complainant company. Further after he resigned and joined the other company, adhering to the new companys policy, he handed his portable PC over to the IT Department, which converted all the Outlook Express email messages to the Outlook program. In doing so the program deleted the original messages and stored them in the encrypted format. This distinctive feature of the program was noticed by another forensics expert, who testified in the employees defence, as a result of which all charges were dropped.

Such issues raise a new problem for investigators, making it extremely important to distinguish between the actions of a human being and those of a computer program, failing which an innocent can be wrongly convicted. The IT Act must attempt to address such technological

Maintenance of Reliable Logs

Even the most highly trained Cyber Crime Investigator can at best trace the physical machine from where the crime was committed. From here on the traditional methods of criminal investigation take over. Thus it is imperative that the initial stage of investigation that leads to the tracking down of the computer is carried out without a flaw.

In majority of cases involving the use of the Internet, a physical machine can be located using the IP Address, which is provided to the investigator by the ISP. It is clear, therefore, that the information provided by the ISP is crucial to the investigation. Hence in the event that the ISP fails to maintain logs, or provides information about the IP Address based on records which are unreliable, the defence can destroy the entire case by creating a doubt in the mind of the judge.

Consequently maintenance of logs of IP Addresses and the reliability of these logs is absolutely essential, and a system to enforce this must be introduced as soon as possible. Failing such a system, it would be a non-refutable contention of the defence, in any Cyber Crime case, that the ISPs logs were inaccurate.

Regulation of Cyber Cafes

Computers are still rather expensive, and not everyone can have access to one whenever they require. As a result Cyber Cafes have mushroomed in even the smallest quarters of the country, and continue to do so at alarming rates.

There is an instant need to regulate such ventures, without which Cyber Cafes will become hotspots for criminal operations. Any person desiring anonymity will use a Cyber Caf to commit his crimes. And the Investigators will not be able to go any further once the computer has been located.

It is vital that Cyber Cafe owners are made to maintain logs of their computer usage. These logs must state the name and contact details of the customer, along with the exact time he logged onto and off the internet. In order to ensure authenticity of this information, Cyber Cafes could experiment with methods such as surveillance cameras or written logs where the manager verifies an individuals details from a valid personal identification document such as a passport or driving licence.

Moreover in order to ensure compliance with such a system, all Cyber Cafes must be allowed to function only under the terms and conditions stated in a licence, which can be revoked or suspended in case of default.

Mandatory Disclosure of Cyber Crimes

It has been a trend among corporations to cover up the incidence of cyber crimes. This is probably done with the intention of maintaining clients confidence in the company. However such a practice leads to the frustration of the system of justice. A criminal should not be allowed to go free, for he will then continue to remain a threat to society.

Hence it must be mandatory for corporations to publicly disclose any instance of cyber crime that occurs, failing which those in charge of it must be penalised. Additionally such a compulsion on the company would make the company answerable to its shareholders (in the case of public companies) and customers, and introduce transparency in its functioning.

Such a law, in fact, is already in effect in the State of California, USA, where it is mandatory for a company to report any instances of sensitive personal data theft to the person concerned.

Such a compulsion may also be imposed on individuals.

Compulsory Maintenance of Logs and Records by Companies

Even though the Act does not make it mandatory for Companies to adopt a strict security policy and to keep logs of their internal network traffic, it would be in their best interest to do so, in order to evade punishment under Section 85.

This can be explained by means of the following illustration:

X, an employee of Company A sends a pornographic email message to Y. Y files a complaint with the police. In the process of investigation, the police trace the IP Address of the email to that of the Company. However upon requesting the Companys Network Administrator for the internal network layout and usage logs, the police are informed that the Company does not maintain such records. In such a situation the investigation cannot proceed and the wrong doer is left scot-free, while the Company can be prosecuted under Section 85 of the Act. However if the Company maintains network records using which the police are able to trace the originating computer and employee who sent the message, the Company will not be held liable for the offence

Prescribed Procedures of Cyber Crime Investigation

As already discussed above, the crux of the problem that plagues the Indian IT sector is the lack of convictions of cyber criminals. The only solution to this problem is to formulate a strict procedure for Cyber Crime Investigations. Like in all criminal matter evidence forms the basis of the case. But in a cyber crime the issue of evidence is more complicated, because of the inherent fragility and sensitivity of the material and data used as evidence. Hence the only way of preventing the ever-increasing occurrence of cyber crimes, is to implement certain best practise guidelines which must be strictly followed by investigators in any cyber crime case. These guidelines must be framed in consultation with IT professionals. Additionally officials must be trained to detect and handle electronic evidence, and only officials who have good technical knowledge and experience in the field must be allowed to lead and investigation (the stipulation on hierarchy should be done away with).

Lastly, the investigators must be provided with adequate technical instruments, and the government must issue guidelines detailing the investigative tools and hardware that may be used by the investigator.

[A few points for consideration while preparing a Manual for Cyber Crime Investigation have been specified in Appendix A]

CONCLUSION

It is interesting to observe that only a few decades ago, it was the norm for countries to have relaxed IT laws, to encourage growth of technology and the internet. Today, however, this attitude has reversed its path and legislators the world over are working vigorously to regulate cyberspace, and the use of technology.

India on the other hand seems to be following the earlier practice of encouraging technology through lawlessness. In fact the recent amendments to the IT Act clearly show that the Government is more concerned with relaxing penal provisions rather than consolidating the laws in our country to dispel the fears of MNCs and foreign investors.

The prevailing IT laws need to clearly address issues such as mobile phone cloning, number portability, password theft, spam emails and SMS messages, convergence of mobile phones and credit cards, standards of due diligence for intermediaries, investigation of cyber crimes and examination of electronic evidence, technical training of Cyber Crime Investigators, lawyers and the judiciary, etc.

A strong system of IT law in India can only be realised as a result of the combined effort of experts in the fields of Technology, Law Enforcement, Legislation and the Judiciary. This is essential as a technology expert can foresee technological changes in the future, while a legal expert can foresee complications in the courtroom and enforcement official the technical difficulties of implementation. Keeping these views in mind, the problems that currently ail the system as well as those that may arise in the future must be given careful consideration, and a system that can adapt to subsequent changes in technology must be instituted.

Finally the government must act soon to establish this system, failing which lawlessness on the net will turn people away from it, rather than popularising its use (as the Internet still remains a novel concept for most people in India). Also a weak legal framework will attract International Cyber Criminals, and it will not be long before our shores become a haven for Cyber Criminals, instead of foreign investors.

APPENDIX A

Drafting A Cyber Crime Investigation Manual:

Points for Consideration

Digital Evidence forms the basis of the prosecutions case against the accused. A minor uncertainty in the evidence can destroy the prosecutions case, as a result of which a criminal can be set free.

Hence we recommend that the government must publish a manual to guide forensic experts in their investigation. This manual will also ensure the regulation and standardisation of the procedure adopted by Cyber Crime Investigators throughout the country. Additionally, such a manual should have legal recognition, and should also prescribe the software and hardware tools that should be implemented in an investigation.

Such a manual will spearhead Cyber Law enforcement in our country, and give an impetus to forensic experts who are waiting for a directive to guide their efforts.

We have listed certain pointers below which could be taken into account while drafting such a manual:

The new dictum the world over is, Think twice before confiscating a computer. This is simply because, a single server may run more then one website, similarly the functioning of an entire corporation may be dependant on a server. Confiscating a server for investigation in such a situation would be impractical and unfeasible. Hence unless absolutely necessary, physical machines should not be confiscated.

There is also a debate on whether an investigator should pull the plug on the computer which is being taken in as evidence. Such a practice may sometimes lead to a device drivers malfunctioning or the system getting corrupted, however the other viewpoint on this states that the plug must be pulled, as very often the criminal could have programmed logical booby trap to delete all data at the time of shutting down the system. Both these views are equally compelling. Therefore the Act must prescribe a procedure after considering both these views.

Another problem an investigator may be faced is a situation where the server or machine which is to be examined cannot be shut down, as it would not be practical or feasible to do so. In such a situation the Investigator must perform a live hard disk copy using a prescribed forensic tool in the presence of an appointed computer expert and witnesses.

As an initial precaution, investigators must also scan the surroundings of the computer and the CPU cabinet for physical booby traps which, although rare, are sometimes placed by professional Cyber Criminals.

The investigator must never work on a machine directly. He must work only on the copy of the hard disk.

Once the computer has been shut down, a prescribed forensic tool such as EnCase should be used to make an image of the hard drive. We recommend that the copy of the hard disk be made on a write-once media that cannot be tampered with or altered in the future.

The entire investigative procedure must be accurately documented by the Investigating Officer, and must be carried out in the presence of neutral witnesses. We recommend that there should be three or more witnesses, one of whom is a computer expert, invited to be a part of the investigation by the Investigating Officer, and the other two witnesses should be persons who are competent to enter into a valid contract under Indian law, and who are well versed with the basics of computers.

The witnesses must be presented with a checklist before the commencement of the investigation. This checklist must lay down the procedure to be followed by the Cyber Crime Investigators, in simple and clear terms. It must also have a space for the witness to write down his or her comment, and to testify that the investigation was carried out in strict adherence of the procedure specified in the checklist.

Once the hard disk is seized by the investigator and sealed before the witnesses, the seal must be opened for the purpose of making a copy only before a magistrate or investigating witnesses, so that it cannot later be contended that the evidence had been tampered with.

In a situation where the computer cannot be seized, once a copy of the hard drive is made the same must be sealed in the presence of a witness. We recommend that the copy must be made in triplicate, so that one copy can be examined at the crime scene by a Mobile Cyber Crime Investigation Laboratory, the second copy can be sent to an expert laboratory for further verification of the findings, and the third copy can be saved as a backup which may also be presented in court. (It is important to note here that a copy of the hard disk made on a Write-Once type media such as a DVD-R or CD-R is of much greater evidentiary value as the defence cannot plead that the evidence has been tampered with.)

Another problem that ails the Indian Cyber Law Enforcement System today is the lack of standardisation of procedures and tools. It is extremely important for the government to prescribe certain forensic tools for examining the computer and making a copy of the hard disk. Once such software have been prescribed, a selected group of police officers must be given specialised training to operate this software, and they must be employed on a full time basis only for the purpose of running the forensic tests involving the tools they specialise in.

There is an urgent need to set up specialised computer forensics laboratories in all the major states of the country. Skilled individuals should be employed to run these laboratories, and they must carry out their functions in consultation with government recognised IT firms and associations.

In addition to these specialised laboratories, there must also be a group of highly skilled Cyber Crime Investigators, who are given adequate tools and resources to set up a Mobile Cyber Crime Investigation Laboratory at the crime scene or at a location nearby, so as to facilitate the search for evidence immediately.

One of the unique features of a Cyber Crime is that it can involve individuals located at opposite ends of the globe. A single criminal act can invoke several jurisdictions. Hence the state and district police wings need to iron out their differences, and cooperate with each other to fight this battle.

The government must enter into multi lateral agreements on Cyber Crime issues with foreign countries, and forge agreements with them to extradite criminals on a case-by-case basis.

Lastly, Corporations and Individuals must be made aware of their rights and responsibilities. For instance, a corporation having an internal network must be required by law to maintain a Network Map, Network Logs and an adequate Security Policy. Similarly, ISPs must also be compelled to maintain logs of their customers usage. Failing such steps, it would be very difficult to reach to an accurate conclusion in a Cyber Crime Investigations involving them.

16


Emergency Management Legislation Amendment Act …FILE/11-056a.docx  · Web viewEmergency Management Legislation Amendment Act 2011. ... Emergency Management Legislation Amendment

LIFE… Pass it on THE TRANSPLANTATION OF HUMAN ORGANS (AMENDMENT) ACT, 2011 AMENDMENTS

TAXATION LAWS AMENDMENT ACT - SARS Home LAWS AMENDMENT ACT - SARS Home ... of—

Sentencing Amendment (Community Correction Reform) Act …FILE/11-065a.docx  · Web viewSentencing Amendment (Community Correction Reform) Act ... Sentencing Amendment (Community

State Taxation Legislation Amendment Act 2014FILE/14-034a.docx  · Web viewState Taxation Legislation Amendment Act 2014. ... Part 29—State Taxation Legislation Amendment Act 201424

Children Legislation Amendment (Reportable Conduct) Act …FILE/17-004a.docx  · Web viewChildren Legislation Amendment (Reportable Conduct) Act ... Children Legislation Amendment

(Amendment) Act, 2012

Companies (Amendment) Act 2007

Act 318 - Strata Titles Amendment) Act 2007

IT Amendment Act 2008

THE INFORMATION TECHNOLOGY (AMENDMENT) …comtax.up.nic.in/Miscellaneous Act/IT ACT AMENDMENTS.pdf1 THE INFORMATION TECHNOLOGY (AMENDMENT) BILL, 2008 A BILL further to amend the Information

Evidence Amendment (Journalist Privilege) Act Web viewEvidence Amendment (Journalist Privilege) Act 2012. ... Evidence Amendment (Journalist Privilege) Act 2012. No ... If an investigation

JU Amendment act-2013

Biosecurity Amendment (Schedules to Act) … Amendment (Schedules to Act) Regulation 2017 under the Biosecurity Act 2015 Page 2 Biosecurity Amendment (Schedules to Act) Regulation

Amendment To1867 Act

Act With Amendment

Act 2 Financial Institutions (Amendment) Act 2016 · Act 2 Financial Institutions (Amendment) Act 2016 THE FINANCIAL INSTITUTIONS (AMENDMENT) ACT, 2016. ... financial institution

Chemicals Act 2008 and Chemicals (Amendment) Act · PDF fileChemicals Act 2008 and Chemicals (Amendment) Act 2010 ... Chemicals Act 2008 and Chemicals (Amendment) ... Council of 16

The Indian Stamp (Mizoram Amendment) Act, 1996(i) This Act may be called the Indian Stamp (Mizoram Amendment) Act, 1996. (2) It extends to the whole of the State of Mizoram. (3) It

Resources Legislation Amendment (General) Act 2012FILE/12-064a.docx  · Web viewResources Legislation Amendment (General) Act 2012. ... Resources Legislation Amendment (General)

NATIONAL PARKS AND WILDLIFE (MARINE MAMMALS PROTECTION) AMENDMENT ACT … · 2 Act No. 133 National Parks and Wildlife (Marine Mammals Protection) Amendment 1986 BE it enacted by

Transport Accident Amendment Act 2013FILE/13-071a.d…  · Web view · 2014-05-04Transport Accident Amendment Act 2013. ... Division 7—Transport Accident Amendment Act 201315

Emergency Services Legislation Amendment Act 2012FILE/12-005a.docx  · Web viewEmergency Services Legislation Amendment Act ... Emergency Services Legislation Amendment Act 2012

Apprentices Act, (Amendment 2014)

The Information Technology (Amendment) Act, 2008 Information Technology( Amendment ) Act... · The Information Technology (Amendment) Act, 2008 ... This Act may be called the Information

Crimes Amendment (Investigation Powers) Act 2013FILE/13-072a.docx  · Web viewCrimes Amendment (Investigation Powers) Act 2013. ... Crimes Amendment (Investigation Powers) Act

Insurance Amendment Act 2015

Transport Accident Amendment Act 2013FILE/13-071a.docx  · Web viewOCPC-VIC, Word 2007, ... Transport Accident Amendment Act 2013. ... Division 7—Transport Accident Amendment Act

Electricity Act Amendment

Gambling Legislation Amendment (Transition) Act 2012FILE/12-032a.docx  · Web viewGambling Legislation Amendment (Transition) Act 2012. ... Gambling Legislation Amendment (Transition)

nullcon 2010 - Comparative analysis of “The IT Act, 2000″ and The IT(amendment) Act, 2008″

Refugees Amendment Act 2008

Electricity Amendment Act 2005

Second Amendment Enforcement Act

Interpretation (Amendment) Act, 2013