The 18th Day of October of this millennium, India witnessed the enactment of Information Technology Act. An Act that is a class of legislation of its own. An act to govern and regulate the high-tech virtual electronic world.... the cyber world.
The information Technology Act is an outcome of the resolution dated 30th January 1997 of the General Assembly of the United Nations, which adopted the Model Law on Electronic Commerce, adopted the Model Law on Electronic Commerce on International Trade Law. This resolution recommended, inter
alia, that all states give favorable consideration to the said Model Law while revising enacting new law, so that uniformity may be observed in the laws, of the various cyber-nations, applicable to alternatives to paper based methods of communication and storage of information.
Overview: The heart and soul of any enactment is reflected rather engrafted in its 'Preamble' or introduction. The intention of the legislature, the problem at which it aims, the rigour, which it tries to mitigate, is reflected from the Preamble.
I personally feel that the preamble even gives a clear overview of the statute concerned. The I.T Act aims at legalizing "electronic Commerce" and provide for
"electronic governance". Further this Act has also amended the provisions of the (1)
Penal Code; Evidence Act; Banker's Book Evidence Act; The basic aim of these amendments is to strengthen the justice delivery mechanism and give recognition to the virtual 'e-medium'.
Strength & Shortcoming:
Nothing is perfect in this world. Not even the persons who legislate. Therefore it would not at all be feasible to expect that the laws enacted will be absolutely perfect, without any lacunas.
I feel that the I.T. Act is a piece of legislation of its time. The Act has brought radical change in the position of the virtual electronic medium. Let's evaluate the strength and shortcoming of the information technology under the following categories:
1. Digital Signatures
3. Justice Delivery System
4. Offences & Penalties
5. Amendments in the various Acts.
1. Digital Signature - Under this head I would deal with digital signature, certifying authorities and digital certificates.
A digital signature as defined in the Act means "authentication of any electronic record by a subscriber by means of an electronic method or procedure in accordance with the provisions of section 3." "Authentication of any electronic record", was the call of the day before enactment of this Act. One of the most (2)
dreaded fear in the electronic media was that of impersonation with an intent to cheat / fraud. Further one of the greatest risk was 'voidable contracts'. A strong need was felt for some mode of authenticating electronic documents. This problem was remedied by providing for digital signatures.
The shortcomings in the Act with regard to digital signatures are of technical & procedural nature. The
lacunas in my opinion are in Chapter VI, which 'regulates certifying authorities and further in Chapter VII which deals with digital signature certificates'
Chapter VI -
i. Recognition of foreign certifying Authorities - S.19.
- Subject to such conditions and restrictions as may be specified by regulations, the controller may, with the previous approval of the Central Government, and by notification in the official Gazette recognize any foreign certifying authority as a certifying authority for the purpose of this Act.
- Where any Certifying Authority is recognized under sub-section (1), the Digital signature Certificate issued by such Certifying Authority shall be valid for the purposes of this Act.
- * * *
I feel that regarding license of foreign certifying authorities, certification authorities already in recognized by the root certifying authorities in any other country should automatically be considered as
"provisionally recognized under (3)
Indian cyber law" and their certificates should be considered valid. They should be subjected to licensing only if they want to issue digital certificates to individuals or companies in India.
At this point one may well contend that then why even in such a case prior Government approval and Gazette notification should not be waived. If only a foreign company, which does not presently have recognition in any other country, wants to set up digital certificate service in India, only such companies may be subjected to prior approval of Government and Gazette notification.
The answer to the above contention in plain and simple language will be that there should exist some sort of regulating body to control the activities of the certifying Authorities. If they are given autonomy to such greater level there is a strong presumption that the innocent subscribers may become the victims of the unfair trade practices of these certifying authorities and further many illegal activities may also
Section 19(3) - Regarding licensing of foreign certifying authorities -
The power of the controller should be limited to suspension of the license only. Revocation should be with prior approval from the Central Government and notification in the official Gazette.
i. License to issue Digital Certificate - S.21
1. * * *
2. * * *
3. A license granted under this section shall (a) be valid for such a period as may be prescribed by the Central Government; (b) not transferable or heritable; (c) be subject to such terms and conditions as may be specified by the regulations.
I feel that the license should be made transferable. The license should be made transferred subject to the approval of the Government. If this provision is not available the commercial value of the certification business will suffer. It is also necessary if any of the existing certificate authority wants to exist or enroll a joint venture partner without affecting the existing costumers.
ii. Suspension of license: S. 25 -
(1) The Controller may, if he is satisfied after making such inquiry, as he may think
fit, that a Certifying Authority has -
(a) made a statement in , or in relation to , the application for the issue or renewal of the license , which is incorrect or false in materials particulars;
(b) failed to comply with the terms and conditions subject to which the license was granted;
(c) failed to maintain the standards specified under clause (b) of sub-sections (2) of section 20;
(d) contravened any provisions of this Act , rule , regulations or order made there under ,revoke the license;
Provided that no license shall be revoked unless the Certifying Authority has been given a reasonable opportunity of showing cause against the proposed revocation .
(2)The Controller may, if he has reasonable cause to believe that there is any
ground for revoking a license under sub-section (1), by order suspend such license
pending the completion of any enquiry ordered by him:
no license shall be suspended for a period exceeding ten days unless the Certifying Authority has been given a reasonable opportunity of showing cause against the proposed suspension.
(4) No Certifying Authority whose license has been suspended shall issue any Digital Signature Certificate during such suspension.
Regarding suspension / revocation of license of certifying authorities, the controller should have
power only to suspend a license of a certification authority. Revocation should be with prior approval of Government and notification in official Gazette.
iii. Power to delegate: S. 27 -
The controller may, in writing, authorize the Deputy Controller, Assistant Controller, or any officer to exercise any of the powers of the Controller under this
chapter.I If feel that this section should have contained a proviso clause whereby it should have provided that the power to delegate
should not include suspension, revocation of certifying authorities.
iv. Display of license - S. 32-
Every certifying Authority shall display its license at a conspicuous place of the premises in which it carries on its business.
This section is a drafting mistake and should be modified or deleted. The office of the Certifying Authority is not a place where the Neteziens visit physically. The requirement is therefore ridiculous many of the foreign certifying authorities may like to operate without a physical office in India. This provision will block such a possibility.
It is sufficient if the web site of the Certifying Authority through which certificates are issued contains the display of link to the license's particular.
The actual license may be kept on the web site of the controller.
i. Certifying Authority to issue Digital Signature Certificate - S. 35
1) * * *
2) * * *
3) Every such application shall be accompanied by a certification practice statement or where there is no such statement, a statement containing such
particulars, as may be specified by regulations.
4) * * *
In my opinion this sub-section is a drafting mistake. There is no such thing as 'Certificate Practice System' for applicants of Digital
Certificate. (1) Therefore it should be deleted. This section does not belong to the section covering issues of Digital Certificates, to those who apply to the Certifying Authorities. It actually belongs to the section relating to Certifying Authorities applying for license with the controller.
Further in the light of the above-suggested change section 35 (4) should also be amended.
2. E-Governance: Chapter III of the Information Technology Act deals with the electronic governance. This chapter in my opinion is the soul of this whole Act. The distinguishing feature of this chapter may be discussed as below :-
i. Electronic Records - Section 4 of this chapter gives legal recognition to electronic records. This section provides that instead of written, typewritten or printed form any document may be presented in electronic form for present and subsequent reference / use.
ii. Digital Signatures - This chapter gives a legal recognition to digital signatures as well. Section 5 provides that where it is required or mandatory by law to affix signature, stamp or any such symbol, instead of this (i.e. signature) the electronic document may be secured / authenticated by affixing digital signature.
iii. E-Governance - In fact it is section 6 that actually provide for E-governance. Section 6 provides for use of electronic records and digital signature in Government and its agencies. The filing of any form, application or any document with any office, authority, body or agency owned or controlled by the appropriate Government in a manner, the issue or grant of any license, permit, sanction or approval by whatever name called in a particular manner, the receipt or payment of money in a particular manner then such requirement shall be deemed to have been satisfied if such filing, issue, grant, receipt or payment, as the case may be, is effected by means of such electronic form as may be prescribed by the appropriate government. Thus it is section 6, which actually legalizes e-governance.
iv. Justice Dispensation - This Act aims at setting up a hiercial set up for justice dispensation. They are adjudicating officers as mentioned in Chapter IX to deal particularly with offences committed under this chapter. Further it also provides for setting up of a Cyber Regulation Appellate Tribunal in Chapter X. Any person aggrieved by the order of the Controller may also move the CRAT. I will be dealing with the advantage & lacunaes of the justice dispensation mechanism as provided by the Act under the following heads: -
i. Cyber Regulation Appellate Tribunal
ii. Adjudicating Officers &
iii. Right to legal representation
i. CRAT: Chapter X of the Act deals with the establishment, composition, jurisdiction and powers of the Cyber Regulation Appellate Tribunal. Section 48 provides for the establishment of Cyber Appellate Tribunal. One of the outstanding features of the establishment of a Cyber Appellate Tribunal in my opinion is the
fast disposal of disputes.
Further section 49 of the Act deals with the composition of Cyber Regulation appellant Tribunal. It provides that a Cyber Appellate Tribunal shall consist of one person only, referred to as the Presiding Officer of the Cyber Appellate Tribunal to be appointed, by notification, by the Central Government. Regarding the qualification for appointment as Presiding Officer of the Cyber Appellate Tribunal, section 50 puts forth that either a) he is, or has been, or is qualified to be, a judge of a high court, or b) is, or has been, a member of the Indian Legal Service and is holding or has held a post in Grade I of that service for at least three years.
What seems to me objectionable
over here is the qualification as well as the composition of the
Tribunal. I feel that the position would be somewhat better if the Tribunal consists of
one presiding officer and three-member i.e. a total of four people. One of the members exclusively from the field of I.T. One out of the remaining two (leaving aside the presiding officer) strictly from legal / judicial background and the third having experience of both I.T. & legal field. Further while appointing the presiding officer every endeavor should be made to select a person who has some background of I.T. as well.
ii. Adjudicating Officers
- Section 46(1) of the Act for the purpose of adjudging provides for adjudicating officer. This section reads as follows -
S. 46. Power to Adjudicate -
(1) for the purposes of adjudging under this Chapter whether any person has committed a contravention of any of the provisions of this Act or of any rule, regulation, direction or order made there under the Central Government shall, subject to the provision of sub-section (3), appoint any officer not below the rank of a Director to the Government of India or an equivalent officer of a State Government to be an adjudicating officer for holding an inquiry in manner prescribed by the Central Government.
2) * * *
3) No person shall be appointed as an adjudicating officers unless he possess such experience in the field of Information Technology and legal or judicial experience as may be prescribed by the Central Government
4) * * *
5) * * *
A joint reading of sub-section 1) & 3) makes it clear that the Act prescribes
that no person should be appointed as an "Adjudicating Officer" unless he possess such experience in Information Technology and legal or judicial experience as may be prescribed by the Government. It would not be below the rank of a Director to the Government of India or an equivalent officer of the State Government.
At this juncture I would like to throw light upon the pecuniary jurisdiction provided under this Act. In the present legislations financial penalty imposed by this Act is highest i.e. up to on corer rupees. This indeed is a praiseworthy attempt to bring at least some relief to the aggrieved.
The adjudicating officer has powers to dispense punishment of up to 10 years of imprisonment and up to one corer of financial penalty based on his findings. Analysts who are terming the powers vested with the Police Authorities under this Act as
"Draconian" should consider the possibility of misuse of powers by one of the many adjudicating officers who may be operating under the system. Not withstanding the possibility of an appeal, the damage that a dishonest or an inefficient adjudicating officer may inflict on innocent Neteziens, Network manager, cyber cafe owners, ISPs, or IT companies could be deliberating. The Act does
not specify any checks and balances to prevent misuse of the powers of the adjudicating officers.
On the other hand, section 84 provides protection from legal action to the adjudicating officer for acts done in good faith. These provisions are quite loose and vague. Further these provision need to be reviewed and a proper system for appointment, periodical review, transfer, and removal of the adjudicating officer need to be provided.
One of the solutions to this problem is to mandate that all enquires will be held in the presence of an
"Expert watch-dog Committee" consisting of at least three members with requisite knowledge of law and information technology and persons of integrity. This committee can be drawn from a pool of talented persons created for the purpose
with the assistance of the Cyber Regulation Advisory Committee. The member of this committee should record their comments independently in a confidential report to the CVC or such other authority which can be referred to in the even of necessity and when an appeal being heard.
Deemed Public Servants - S. 82
According to section 82, all officers of the Cyber Regulation Appellate Tribunal and the Office of the Controller would be deemed as "Public Servants under section 21 of I.P.C.". This clause does not include the Adjudicating officer. Also experts feel that the public servant definition should be linked to the definition in the "Prevention of Corruption Act" and not "I.P.C.", Necessary modifications are required to put a rein on the
"Multiple Draconian Powers bestowed on the Adjudicating officers under the
iii. Right to legal representation: -
Section 59 of the Act deals with the 'Right to Legal Representation'. This section states - "The appellant may either appear in person or authorize one or more legal practioners or any of its officers to present his or its case before the Cyber Appellate Tribunal".
At the same time, under section 58 (1) the Cyber Regulation Appellate Tribunal is empowered to define its own procedures for conduct by stating - "The cyber Appellate Tribunal shall not be bound by the procedure laid down by the code of Civil Procedure, 1908 but shall be guided by the principles of natural justice and, subject to other provisions of this Act and of any rules, the Cyber Appellate Tribunal shall have powers to regulate its own procedures to regulate its own procedure including the place at which it shall have its sitting".
In view of these provisions, there was no need for the Act to specify in section 59 who can represent the appellant. This could have been left to the Tribunal to define, section 59 is restrictive in the sense that
the right to legal representation is limited to a "Legal
Practitioner". Since the Cyber Law is a complicated stuff and a "Legal Practitioner" may not be competent enough to handle the requirements of the case without an active assistance of technology expert, the enquiry process can be highly inefficient.
Further it is not clear what is meant by
"or any of its officers". Probably this refers to the case of a corporate entity being the appellant where he can depute one of its officers. If this is so, the company will have the option to depute a competent person even if he is not a legal practitioner. A similar freedom should be available to
non-corporate appellants also and they should be permitted to represent themselves through any person of their choice.
Electronic Hearing - Additionally the procedure for conduct should include electronic hearing through secured mode of real time communication over internet. (Secured Chat mode with digital identity of parties).
4. Offences and Penalties:
The provisions pertaining to offences covered and penalties provided by the Act are scattered in Chapter IX and XI of the Act. Section 43 provides for penalty up to rupees one corer by way of damages, in case of unauthorized access, contaminating the computer/ computer system, inducing virus or causing damage.
Though the damage which one might suffer may exceed one corer so in that case the compensation might not be adequate. However such cases are rare and the damages provided by this section in my opinion is adequate.
Further chapter XI in a magnificent manner covers all aspects of
cyber- crime. This chapter covers within its ambit-unauthorized access, hacking, obscenity, misrepresentation, and breach of confidentiality and privacy, fraud. One of the remarkable features of this chapter is section 75. This section gives
an extraterritorial effect to offences in contravention to the provisions of this
Though Chapter XI has been beautifully drafted to cover within its ambit all kinds of cyber-crime and further it enables the enforcement agencies to investigate offences. But a strong presumption regarding the misuse of the
power to confiscate raises its head. It may be well said that it is a Draconian Powers conferred upon the investigating authority.
5. Amendments in various Acts: -
The I.T. Act has brought amendment in four statutes vide of section 91-94. These changes have been provided in schedule 1-4. The 1st schedule contains the amendments brought about in the Penal Code. In short it may be said about this amendment that it has widened the scope of the term "document" to bring within its ambit electronic documents.
The second schedule deals with amendments to the India Evidence Act. As stated above the important change brought in the Evidence Act is that
pertaining to inclusion of electronic document in the definition of
evidence. Further the terms / expressions for this purpose have similar meaning as assigned to them in the I.T. Act.
The third schedule amends the Banker's Books Evidence Act. This amendment brings about change in the definition of "Banker's-book" to include printouts of data stored in a floppy, disc, tape or any other form of electromagnetic data storage device. A similar change has been brought about in the expression "Certified-copy" to include such printouts within its purview.
The fourth schedule amends the Reserve Bank of India Act. This amendment particularly pertains to the regulation of fund transfer through electronic means between the banks or between the banks and other financial institution.
Many of the changes proposed might not be acceptable to the legal feternity. But I feel that these changes will be strongly felt near future. I feel that this legislation overall is a masterpiece. The lacuna it has is only due to the lack of technical skill while drafting. I would again insist on these proposed changes to realize in toto the purpose for enactment of this statute.
At this point it would be too early to predict as to what kind of
legislation it will turn out to be. But undoubtedly the most important distinguishing characteristic of this Act is that it has provided legal recognition to the virtual electronic medium.
(1). Section 2 (h) - "certification practice system" means a statement issued by a Certifying Authority to specify the practices that the Certifying Authority employs in issuing Digital Signature Certificates.
You may also contact the author for any query concerning
this article : email@example.com