By Soumik Chakraborty and Sreedhar Kusuman
Editor’s Note: The Information Technology (Amendment) Act, 2008 serves as a suitable case study for an analysis of the legislative exercise of law and policy formulation in the field of cybercrime legislation, revealing quite emphatically the need for carefully worded provisions, foresight in the drafting process and imagination with respect to explanations to particular sections.
It is a belief of Vernians[i] that Jules imagination and scientific temperament have been the reason for the development of modern technology as we see it today. When he wrote, “20,000 Leagues Under The Sea”, he wrote about the world’s first submarine, the Nautilus captained by the enigmatic Captain Nemo, and lo and behold, we soon had developed our own mode of underwater transportation.
Or when he wrote the story “From The Earth To The Moon”, he wrote about the Gun Club, a post American Civil War organization that had the ambition to develop and send the first men to the moon using a capsule fired off the muzzle of an incredibly long gun mechanism, scientists all over the world joined the space race culminating in the landing of Apollo 11 on the Sea of Tranquillity in July, 1969. In small or large measure such visionary works by prolific writers have always been the basis for modern inventions such as Nuclear Energy, Monorail Transportation or even the Internet.[ii]
After the development of the World Wide Web and different web-based applications that eased communication and made the availability of information easier, a rising menace emerged, the misuse of technology for unlawful and unwanted purposes such as credit card fraud, phishing, hacking and spamming. Hacktivists groups such as Anonymous, have emerged all over the world, who seek to make data free and available and expose state secrets that are being kept hidden by the government after being inspired by ‘martyrs’ such as Julian Assange and Edward Snowden.
For some people they are heroes and for government organizations, they are a nightmare. To curb the growing menace and to nip the problem in the bud in a technologically underdeveloped country like India, to give consideration to the Model Law on Electronic Commerce adopted by the United Nations Commission on International Trade Law (UNCITRAL) and to give legal recognition to electronic commerce, the Information Technology Act, 2000 was brought into place in India with a subsequent amendment in 2008.
The IT Act 2000 was mainly to ensure legal recognition of e-commerce within India. Due to this most provisions are mainly concerned with establishing digital certification processes within the country. Cybercrime as a term was not defined in the act. It only delved with few instances of computer-related crimes. These acts as defined in Chapter XI of the Act are:
- Section 43– Illegal access, the introduction of the virus, denial of services, causing damage and manipulating computer accounts.
- Section 65– Tampering, destroying and concealing computer code.
- Section 66– Acts of hacking leading to wrongful loss or damage.
- Section 67– Acts related to publishing, transmission or causing publication of obscene/ lascivious in nature.
Punishment in Section 65 and 66 is three years or fine up to two lakh rupees or both. For Section 67 the first time offenders can be punished up to 5 years with a fine up to one lakhs of rupees. A subsequent offense can lead to ten years of punishment and fine up to two lakhs of rupees.
Salient Features of Information Technology Amendment Act
Information Technology Act Amendment which came into force after Presidential assent in February 2009 has the following salient features:
- Liability of body corporate towards Sensitive Personal Data-New amendment was brought in changes in Section 43 of IT Act 2000 in which for the first time anybody corporate which deals with sensitive personal information does not have adequate controls resulting in wrongful loss or wrongful gain to any person is liable to pay damages to that person to the tune of five crores.
- Introduction of virus, manipulating accounts, denial of services etc made punishable-Section 66 has been amended to include offenses punishable as per section 43 which has also been amended to include offenses as listed above; punishment may lead to imprisonment which may extend to three years or with fine which may extend to five lakh rupees or with both. This is a change from an earlier position where the introduction of the virus, manipulating someone’s account has been made punishable with imprisonment for the first time.
- Phishing and Spam- While this has not been mentioned specifically but this can be interpreted in the provisions mentioned here in Section 66 A. Through this section sending of menacing, annoying messages and also misleading information about the origin of the message has become punishable with imprisonment up to three years and fine.
- Stolen Computer resource or communication device – Newly added Section 66B has been introduced to tackle with acts of dishonestly receiving and retaining any stolen computer resource. This has also been made punishable with three years or fine of one lakh rupees or both.
- Misuse of Digital Signature-Section 66C. Dishonest use of somebody else’s digital signature has been made punishable with imprisonment which may extend to three years and shall also be liable to fine with may extend to rupees one lakh.
- Cheating-Cheating using computer resource has been made punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to one lakh rupee (Section 66D).
- Cyber terrorism- The newly introduced Section 66F talks about acts of cyber terror which threatens the unity, integrity or sovereignty of India or strike terror in the people or any section of the people include
- Denial of service of resources in use by the nation.
- Attempting to penetrate or access a computer resource without authorization or exceeding authorized access.
- Introducing or causing to introduce any computer contaminant likely to cause death or injuries to person or damage to or destruction of property or disrupts or knowing that it is likely to cause damage or disruption of supplies or services essential to the life of the community or knowingly or intentionally penetrates or accesses a computer resource without authorization or exceeding authorized access, and by means of such conduct obtains access to information, data or computer database that is restricted for reasons for the security of the State or foreign relations, or any restricted information, data or computer database, with reasons to believe that such information, data or computer database so obtained may be used to cause or likely to cause injury to the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence, or to the advantage of any foreign nation, group of individuals or otherwise, commits the offence of cyber terrorism.These acts have been made punishable with Imprisonment which may extend to imprisonment for life. In India, cyber terrorism has emerged as a new phenomenon. The probe against the 2008 serial blasts in cities like Ahmedabad, Delhi, Jaipur, and Bangalore found considerable evidence of cyber terrorism[iii]; the 2008 attack on Mumbai Taj Hotel, which is now famously known as 26/11 and the 2010 blast in the holy city of Varanasi also had trails of cyber terrorism.[iv]
- Child Pornography– Newly introduced Section 67 B attempts to address the issue of child pornography. Through this section it has made the publication or transmission of material in any electronic form which depicts children engaged in sexually explicit act or conduct, anyone who creates, facilitates or records these acts and images punishable with imprisonment of five years and fine which may extend up to ten lakhs in first offence and seven years and fine of ten lakhs on subsequent offence.
- Intermediary’s liability- Intermediaries have been made liable to retain any information in the format that Central government prescribes. (Sections 67C) and are punishable for the violation with a punishment of imprisonment of 3 years and fine In case of any act which affects national sovereignty intermediaries are liable to seven years (Section 69(4)).
- Surveillance, Interception, and Monitoring– In order to compact cyber terrorism the government has further armed itself with drastic powers Sections 69 of IT Act 2000 amended enhances the scope from the 2000 version to include interception and monitoring. This has been a major change in the section which also empowers the government not only to monitor any traffic but also block any site through an intermediary. Any failure on part of the intermediary is punishable by seven years and also fine (Section 69(4)). Earlier the provision did not mention any fine.
- Cognizance of cases– All cases which entail a punishment of three years or more have been made cognizable. Offenses with three years of punishment have also been made bailable (Section 77B). This change though welcome will make sure most cases falling under the IT Act will be available with the sole exception of Cyber terrorism cases, cases related to child pornography and violations by intermediaries in some cases.
- Investigation of Offences-One major change has been the inclusion of Inspectors as investigating officers for offenses defined in this act (Section 78). Earlier these investigations were being done only by an officer of the rank of Deputy Superintendent of Police which was a serious limitation mainly because a number of officers in this rank is limited. With this change, one can look forward to more cases being filed and investigated by police.
Shortcomings of the Act
While the Act has been successful in setting down the framework of regulations in Cyber Space and addresses a few pressing concerns of misuse of technology, it suffers from a few serious lacunae that have not been discussed. Many experts, such as Supreme court lawyer and cyber rights activist, Pawan Duggal, argues that the Act is toothless legislation[v] which has not been completely effective in issuing penalties or sanctions against perpetrators who choose to misuse the reach of cyberspace. There are certain areas of cyber laws which need attention
Spam may be defined as Unsolicited Bulk E-mail. Initially, it was viewed as a mere nuisance but now it is posing major economic problems. In the absence of any adequate technical protection, stringent legislation is required to deal with the problem of spam. The Information Technology Act does not discuss the issue of spamming at all. The USA and the European Union have enacted anti-spam legislation. In fact, Australia has very stringent spam laws under which the spammers may be fined up to 1.1 million dollars per day.
Phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords, and credit card details, by masquerading as a trustworthy entity in electronic communication. Phishing is typically carried out by e-mail and often directs users to enter personal and financial details at a website. Phishing is an example of a social engineering technique used to fool users.
There is no law against phishing in the Information Technology Act through the Indian Penal Code talks about cheating, it is not sufficient to check the activity of phishing. Recently a phishing attack was noticed on the customers of State Bank of India in which a clone of the SBI website was used. What is worse is that even SBI has not alerted its customers. So the need of the hour is legislation which prohibits the activity of phishing in India.
Data Protection in Internet Banking
Data protection laws primarily aim to safeguard the interest of the individual whose data is handled and processed by others. Internet Banking involves not just the banks and their customers, but numerous third parties too. Information held by banks about their customers, their transactions etc. changes hand several times. It is impossible for the banks to retain information within their own computer networks. High risks are involved in preventing leakage or tampering of data which ask for adequate legal and technical protection. India has no law on data protection leave alone a law governing an area as specific as protection of data in electronic banking.
The Information Technology Act talks about unauthorized access but it does not talk about maintaining the integrity of customer transactions. The act does not lay down any duty upon banks to protect the details of customers and clients. U.K has a data protection law which was enacted 10 years back that is in 1998 under which banks or any person holding sensitive information may be held liable for damages if it fails to maintain adequate security protection in respect of data. In India, a bank’s liability would arise out of contract as there is no statute on the point.
Privacy and data protection are important issues that need to be addressed today as information technology assumes greater importance in personal, professional and commercial spheres. The European Union and the United States have strict policies relating to privacy and protection of personal data when such data or information is being transferred out of their domain.
It is also pertinent to note here, that the absence of a specific privacy law in India has resulted in a loss of substantial foreign investment and other business opportunities. This deficiency has also served as an obstacle to the real growth of electronic commerce. Thus, a statute addressing various issues related to privacy is of utmost importance today, if not an entire act can be brought into force, then at least specific provisions relating to privacy and data protection be incorporated into the Act.
Identity theft worldwide is a growing problem. IT act 2000 fails to address this issue. This is a major drawback considering the fact that the majority of outsourcing work that India does requires the companies in India to ensure there is no identity theft. In fact, identity theft was one of the main reasons for a major hue and cry over an incident involving personal information of UK customers and an Indian web marketing company.[vi]
The issue of Cyber War has also not been discussed in the Act. International law is an important part of any legal regime and due provisions need to be made in congruence with the international framework of laws. India, in recent times, has faced a number of cyber attacks from China and the Chinese hackers have overridden the Firewalls on Indian databases like a Mongol army on the rampage. In the 26/11 attacks, a number of classified data were provided as intel to the perpetrators from neighboring nations conspiring against India. There are no provisions in the Act to make such perpetrators liable for their actions.
In an interview Mr.Duggal stressed the need for overhauling the cybersecurity legal regime in the country, saying, “A historical mistake was made when the IT (Amendment) Act, 2008, made almost all cyber crimes, barring a couple, bailable offenses. The focus is more on enhancing the quantum of civil liability and reducing the quantum of punishment, which explains the reason why the number of cybercrime convictions in the country is in single digits.”[vii]
The most rampant cyber “misuse” that an individual makes nowadays is downloading movies through peer-to-peer sharing networks. This is a rampant violation of copyright laws but the volume of perpetrators is so large that an effective measure cannot be taken to restrict it. In order to curb the growing menace of cyber crimes government through measures often block access to websites. This has been argued to be a draconian measure and a violation of freedom of speech and expression under Article 19(1)(a).
Recently in the case of the Tamil movie, “Three”, the Madras High Court passed an order to prevent users from accessing torrent websites to dissuade them from downloading copies of the movie from the internet. While it may be a reasonable measure for just the singular movie, blocking access to the entire website is an unnecessarily strict measure. It is said that little knowledge can be a dangerous thing, which is exactly the case in the case of the government. It knows little and tries to implement measures based on such incomplete knowledge. Users are getting more proficient and sophisticated every day and know how to bypass security measures while the legislation is still stuck in the Stone Age of cyberspace.
Copyright and trademark violations do occur on the net but Copyright Act 1976, or Trade Mark Act 1994 is silent on that which specifically deals with the issue. Therefore have no enforcement machinery to ensure the protection of domain names on the net. Transmission of e-cash and transactions online are not given protection under the Negotiable Instrument Act, 1881. Online privacy is not protected only Section 43 (penalty for damage to computer or computer system) and 72 (Breach of confidentiality or privacy) talks about it in some extent but doesn’t hinder the violations caused in the cyberspace.
Even the Internet Service Providers (ISP) who transmits some third-party information without human intervention is not made liable under the Information Technology Act, 2000. One can easily take shelter under the exemption clause if he proves that it was committed without his knowledge or he exercised due diligence to prevent the offense.
It’s hard to prove the commission of the offense as the terms “due diligence” and “lack of knowledge” have not been defined anywhere in the Act. And unfortunately, the Act doesn’t mention how the extraterritoriality would be enforced. This aspect is completely ignored by the Act, where it had come into existence to look into cybercrime which is on the face of it an international problem with no territorial boundaries.
Suggestions for Improvement
- The IT (Amendment) Act, 2008, reduced the quantum of punishment for a majority of cyber crimes. This needs to be rectified.
- The majority of cyber crimes need to be made non-bailable offenses.
- The IT Act does not cover a majority of crimes committed through mobiles. This needs to be rectified.
- A comprehensive data protection regime needs to be incorporated in the law to make it more effective.
- Detailed legal regime needed to protect the privacy of individuals and institutions.
- Cyberwar as an offense needs to be covered under the IT Act.
- Parts of Section 66A of the IT Act are beyond the reasonable restrictions on freedom of speech and expression under the Constitution of India. These need to be removed to make the provisions legally sustainable.
Anti Spam Laws
The United States has a specific CAN-Spam Act 2003[viii] which came into force in January 2004. Major provisions are:
- False and misleading header information is banned.
- Deceptive subject lines are prohibited.
- Opt-out methods must be provided.
- Commercial email must be identified as an advertisement and it must include the sender’s valid physical postal address.
- Receivers must be warned of sexually explicit material.
Penalties include fine upto USD 11000 and also imprisonment in specific circumstances.
Europe union through the directive on privacy and electronic communication, 2003[ix]has been a major driving force behind the enactments of anti-spam laws in Europe. UK imposes a fine of GBP 5000 on spammers if they fall within the ambit of its Anti Spam Act.
This was addressed in the US way back in 1984 through the Computer Fraud and Abuse Act[x]. This act governs cases with a compelling federal interest, where computers of the federal government or certain financial institutions are involved, where the crime itself is interstate in nature or computers used in interstate and foreign commerce[xi].
This act punishes anyone who not just commits or attempts to commit an offense under the Computer Fraud and Abuse Act but also those who conspire to do so. This act has been further amended by the US Patriot Act, 2001 which enhanced the scope and penalties imposed. First offense penalties are ten years imprisonment and second offense penalty is imprisonment of 20 years. These are much more stringent considering Indian law provides for just around three years of punishment in most cases.
UK computer misuse was defined in 1990 through its Computer Misuse Act.[xii]This act dealt with unauthorized access, modification of computer material. Penalties imposed are to the tune of five years imprisonment with fine.
Data Protection and Personal Privacy
These have been of major concern internationally and legislation has been passed as long ago as 1998 to ensure the protection of personal data. One of the leading legislation is the Data Protection Act, 1998 of UK. While Indian IT act Amendment talks about ‘sensitive personal data’ in section 43 but fails to define what exactly it implies by sensitive personal data.
Identity Theft Enforcement and Restitution Act of US has made further enhancements to the original act (Computer Fraud and Abuse Act, 1984) by making the act of causing damage to ten or more computers as the felony. It also removed the limit of damage which was earlier set to USD 5000 in the Computer Fraud and Abuse Act.
One of the major emphasis of this act has been to criminalize not only explicit threats to cause damage to a computer, but also threats (1) to steal data on a victim’s computer, (2) to publicly disclose stolen data, or (3) do not repair damage the offender already caused to the computer; and also ensuring that restitution orders for identity theft cases may include an amount equal to the value of the victim’s time spent remediating the actual or intended harm of the identity theft or aggravated identity theft offense
Void of Vagueness Doctrine
The doctrine of Void for Vagueness, indigenous to the American legal system, has been derived from the due process clauses of the Fifth and Fourteenth Amendments to the U.S. Constitution.[xiii] The basis of the doctrine is uncertainty and lack of specificity and the philosophy underlying the principle appears to be quite simple – no one may be required at peril of life, liberty, or property to speculate as to the meaning of penal law.[xiv]
Thus, if it is found that a reasonably prudent man is unable to determine by himself the nature of the punishment, the prohibited conduct as envisaged under the statute, and what class of persons the law seeks to regulate, for lack of definiteness, the law may be regarded as‘void for vagueness’.[xv]
The objective of a criminal statute is fairly simple, allowing citizens to organize the affairs of their lives with the knowledge of acts that are forbidden by the law, and the negation of this should logically be considered an infirmity of the legal system.
Thus, for example, the phrase ‘gangster’ when used in a penal statute, may render the statute void, since the phrase is open to wide-ranging interpretations, both by the court and the enforcing agencies.[xvi]
While there exist several such instances, mere uncertainty in a single phrase of a hastily drafted statute could render the law unconstitutional and void, thereby necessitating precaution in the framing of penal statutes that are bound to affect a majority of citizens, as is certainly the case with a statute regulating activities on the internet in a country as large as ours.
The Information Technology (Amendment) Act, 2008 serves as a suitable case study for an analysis of the legislative exercise of law and policy formulation in the field of cybercrime legislation, revealing quite emphatically the need for carefully worded provisions, foresight in the drafting process and imagination with respect to explanations to particular sections.
The inadequacies of the legislation and the resultant realistically anticipated problems reinforce the notion that criminal legislation cannot be left open to broad interpretations, especially with regard to internet regulations, considering the fact that cyberspace provides certain liberties in action that makes it easier to transgress laws, and with such characteristics inherent to the environment, any regulatory mechanism or legislative measure must seek to be comprehensive, clear and narrow in interpretive scope.
While the purpose of the Information Technology (Amendment) Act was to address increasing trends of cybercrime and in effect, make it difficult to be a cybercriminal, the irony rests in the fact that what the Amendment Act eventually has created is a situation wherein it perhaps, isn’t ‘easier to be a criminal’, but rather, ‘easier to be classified as a criminal’. The danger, in both cases, cannot be overemphasized.
Formatted on March 1st, 2019.
[i]Followers of the work of Jules Verne
[ii]Also brought to you from the mind of Jules Verne.
[iii] (NDTV Correspondent, 2010)
[iv](NDTV Correspondent, 2010).
[v] http://www.dnaindia.com/scitech/report-indias-information-technology-act-has-not-been-effective-in-checking-cyber-crime-expert-1818328, Last visited on 31st march, 2014
[vi]Horror of outsourcing to India – Indian call centers are illegally selling personal information of tens of thousand Australian customers http://www.indiadaily.com/editorial/4198.asp
[vii] http://www.dnaindia.com/scitech/report-indias-information-technology-act-has-not-been-effective-in-checking-cyber-crime-expert-1818328 Last visited on 31st march, 2014
[viii] Spam Laws: http://www.spamlaws.com/spam-laws.html
[ix] European Union directive: http://www.opsi.gov.uk/si/si2003/20032426.htm
[x] Computer Fraud and Abuse Act, 1984 USA
[xi] Compute fraud and abuse act: http://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act
[xii] Computer Misuse Act, UK: http://www.opsi.gov.uk/acts/acts1990/UKpga_19900018_en_1.htm
[xiii]Void for Vagueness Doctrine, LAW.JRANK.ORG, http://law.jrank.org/pages/11152/Void-Vagueness-
[xv] A. G. A., The Void for Vagueness Doctrine in the Supreme Court, 109(1) U. PA. L. REV. 67
[xvi]Lanzetta v.New Jersey, 306 U.S. 451 (1939); Edelman v. California, 344 U.S. 357 (1953).