Showing posts with label IT ACT 2000. Show all posts
Showing posts with label IT ACT 2000. Show all posts

Thursday, January 26, 2012

Video Conferencing Laws In India

Video conferencing is increasingly being used for the purposes of digital evidencing in India. Video conferencing would also be an important part of e-courts of India once they would be established. Presently, video conferencing is used for many computerised courts in India.

The information technology act 2000 (IT Act 2000) is the cyber law of India that has provided a legal framework for electronic governance, electronic commerce and many other aspects of online dealing. By implications, the IT Act 2000 also allows use of video conferencing for various purposes.

Despite these provisions and active use of video conferencing in India, video conferencing in India is a troubled technology. The recent episode of Rajasthan government and Rajasthan police not allowing the video conferencing of Salman Rushdie shows Indian anxiety with use information technology.

This controversy happened because we have no dedicated video conferencing laws and regulations in India. Obviously, we have no dedicated video conferencing blocking laws in India as well. In the absence of a clear cut law, Indian government is still applying traditional methods to regulate video conferencing in India. However, if at all any law applies to video conferencing in India the same must be the IT Act 2000 and not any Police Act or local law.

Surprisingly, few of our posts pertaining to video conferencing disappeared from Google India’s SERPs and Blogs search results and appeared again only after reporting of the same. It seems controversial posts that are well within the constitutional right to speech and expressions are screened in India once they are posted. But who is doing so is still a big question that must be answered to properly analyse the role of Internet intermediaries in India in this regard.

While Internet intermediaries have declined to pre screen users generated contents yet post screening is happening in many cases. If this post screening is happening due to Internet intermediary law of India then such post screening and removal may be fine if legally and constitutionally done. This is so because if the companies and Internet intermediaries fail to observe cyber law due diligence in India they may face civil and criminal trials in India.

It would be a good idea to clarify the position of use of video conferencing in India by Indian government so that its uses, abuses and regulation can be legally managed.

Tuesday, January 24, 2012

Video Conferencing Blocking Laws In India

Video conferencing has revolutionized the way our say to day affairs are managed. Video conferencing facilitates many important commercial and personal communications in a cost effective and efficient manner.

Obviously, video conferencing is regulated by laws of various nations. However, we have no dedicated video conferencing law in India. Of course, some shades of video conferencing regulations are governed by the cyber law of India incorporated in the form of information technology act 2000 (IT Act 2000).

However, there is no express provision that talks about blocking of video conferencing in India except to the extent permitted by the IT Act 2000. Video conferencing, just like other electronic communications, should be allowed unless it can be blocked as per the provisions of IT Act 2000 or other applicable laws. Even for such blocking of video conferencing in India, the norms established by the IT Act 2000 or any other similar law must be followed.

It seems the norms laid down by the IT Act 2000 have not been followed by the Rajasthan government and Rajasthan police and by not allowing the video conferencing of Salman Rushdie, without complying with the requirements of IT Act 2000, they have clearly transgressed the constitutional limitations that they are constitutionally bound to observe.

The fundamental right to speech and expression cannot be defeated through arbitrary and extraneous methods. Right to speech and expression can be curtailed only as per the well established constitutional procedure.

Although the intentions of Rajasthan government may be legal and justified yet the manner of executing those intentions is clearly unconstitutional. The legality and constitutionality of the Rajasthan government’s action is still doubtful and appropriate action must be taken in this regard.

Sunday, December 18, 2011

E-Commerce Laws In India

Technology has brought many important changes the way we deal in our day to day lives. Whether it is e-governance or e-commerce, individuals and companies are equally benefited due to use of technology.

Realising that cyberspace can bring many commercial benefits; both individuals and companies are ensuring that they have strong online presence. More and more brand promotion and protection in India are done these days in an online environment. Companies and individuals are also ensuring domain name protection in India so that their reputation and goodwill is not misappropriated by others.

We have no dedicated e-commerce laws in India. However, the information technology act 2000 (IT Act 2000), which is the sole cyber law of India, is regulating the e-commerce business and transactions in India. Internet intermediaries liability in India under the IT Act 2000 is very stringent. Cyber law due diligence in India is one aspect that all e-commerce site owners must frequently engage in.

Electronic commerce in India (E-commerce in India) has slowly and steadily entered the Indian market. Toady from tickets booking to purchasing of good and services, everything happens in an online environment.

Of course, where commercial transactions occur, disputes and differences are bound to occur. To prevent and resolve these disputes we need norms, regulations and laws that are acceptable to all the stakeholders.

The e-commerce law of India is primarily incorporated in the information technology act, 2000 (IT Act 2000) that takes cares of legal obligations of both sellers and buyers of good and services in cyberspace.

The IT Act 2000 prescribes rules and norms for online contract formulation. The traditional concepts of offer, acceptance etc, as applicable under the contractual laws, have also been covered by the IT Act 2000. The only difference is that they have been customised as per the requirements of cyberspace.

However, e-commerce transactions and contracts also attract certain additional legal liabilities that e-commerce players in India are not very much aware. For instance, very few e-commerce players in India are aware that they are “intermediaries” within the meaning of IT Act 2000. Further, there are very few e-commerce lawyers and law firms in India that can provide expert services in this regard.

Further, other laws, including intellectual property laws, make these e-commerce players labile for civil and criminal actions. For instance, these e-commerce players can be held liable for online infringement of copyright in India of the copyright owners.

Similarly, if any person posts an offending material at the e-commerce site or otherwise deal with the e-commerce site in an illegal manner, the e-commerce site owner may find himself in trouble.

Cyber law due diligence in India is one aspect that all e-commerce site owners must frequently engage in. The present laws of India are stringent in nature and subsequently claiming ignorance of such laws would not make much difference.

Perry4Law and Perry4Law Techno Legal Base (PTLB) strongly recommend that before opening an e-commerce site or business, the owner of the same must consult a good techno legal law firm that can advice him upon all the possible and applicable aspect of e-commerce laws in India.

Friday, December 16, 2011

Social Media Laws In India

Social media laws in India are in limelight these days. Social media websites are very popular among technology savvy as well as ordinary Netizens. More and more Netizens are joining social platforms to share their opinions, views, data and details. However, social networking laws in India are not adequate and properly drafted.

Social media includes social networking sites, blogs, forums, wikis, etc. Social media is growingly seen as a medium to connect with millions of professionals, friends and like minded individuals and organisations.

India is also witnessing a growing revolution of information and communication technology (ICT) and social media usage. However, till now we have no social media policy in India. Even we do not have dedicated social networking laws in India that can take care of the misuses of social platforms.

However, the framework and guidelines for use of social media for government organisations has been recently suggested by department of information technology. Theses guidelines provide an Indian social media framework for governmental departments and organisations that employees of these organisations must follow.

Perry4Law and Perry4Law Techno Legal Base (PTLB) strongly recommend that Indian government must enact strong and effective social media laws, e-governance laws and e-commerce laws in India. These three fields are going to assume centre stage in the near future and their regulation by Indian government would be required.

Till now India has enacted a single technology law in the form of information technology act 2000 (IT Act 2000). It has tried to cover all the three issues but not with great success. This is so because these three fields are very vast and require a different treatment and separate law. Perry4Law and PTLB strongly recommend enacting suitable laws in this regard.

Tuesday, December 6, 2011

Internet Censorship In India

Internet in India is under potential threat of censorship and e-surveillance. Internet censorship in India has increased a lot. Similarly, e-surveillance in India has also increased to intolerable limits.

India has a draconian but cyber criminals’ friendly cyber law in the form of information technology act, 2000 (IT Act 2000). It was amended in 2008 to confer unregulated e-surveillance, Internet censorship and website blocking powers to Indian government and its agencies. The present cyber law of India is an unconstitutional one in the absence of procedural safeguards that can prevent these abusive draconian powers under the IT Act 2000. It requires an urgent repeal.

On top of it we have the proposed central monitoring system (CMS) project of India that has been proposed without any parliamentary oversight. Further, stress upon Internet kill switch is also given by India without realising that Internet kill switch is not a solution to cyber threats. Anti Internet kill switch measures are needed to prevent Indian government from taking recourse of any such unconstitutional and draconian action.

Website blocking and Internet censorship should be resisted as far as possible in India. This fight should be techno legal in nature where both technical and legal measures must be adopted to thwart surveillance and censorship activities of Indian government and its agencies. Proactive self defence in cyberspace is needed not only against alien enemies but also against our own Orwellian government.

Self defence in cyberspace is a concept whose time has come at both national and international level. At the national level of India self defence is required not only against cyber criminals but also against our own over zealous and e-surveillance oriented Indian government. Suggestions have been given in the past that United Nations (UN) must protect human rights in cyberspace as well. However, UN is not serious about protecting human rights in cyberspace.

At the national level, Indian government acquired itself unregulated, illegal and unconstitutional e-surveillance, Internet censorship and website blocking powers with no procedural safeguards. The information technology act, 2000 (IT Act 2000) was amended through the information technology amendment act 2008 (IT Act 2008) and this amendment gave unconstitutional and illegal powers to Indian government and its agencies. With the notification of the IT Act, 2008, the journey from welfare state to a police state was completed for India.

Instances of website blocking in India and Internet censorship in India have increased a lot. What is more worrisome is the fact that e-surveillance and Internet censorship in India have increased without any lawful interception law in India. Lawful interception law in India is missing and phone tapping in India is done in an unconstitutional manner.

Of all e-surveillance project, nothing is worst than the Aadhar project of India and its implementing unique identification authority of India (UIDAI) headed by Nandan Nilekani. Irrespective of what Nandan Nilekani and Indian government says, Aadhar project and UIDAI are serving a very vicious, evil and nefarious objective of e-surveillance without procedural safeguards. Surprisingly, even Google is censoring results pertaining to Aadhar project and UIDAI and is messing up with search placement results.

Now Internet intermediaries in India have been asked to pre screen contents before they are posted on their platforms by the account holders. India wants companies like Google and Facebook to censor users’ contents. In fact, Goggle web censorship has greatly increased in the past. Perhaps somebody at Google was already doing the pre screening of some web contents in India, with or without knowledge of Google.

Google has been in controversies from time to time. Whether it is illegal data gathering, censorship of Google news searches, manipulation of search results, etc, Google has been doing it all. In fact, it seems Google was actively helping Indian government and its agencies for messing up with Aadhar project, UIDAI, World Bank or any other similar post that questions the wrong practices of Indian government. During that period Google continued its censorship drive in India and many posts failed to appear in news, blogs and search segments.

What Internet intermediaries are facing now is a direct result of their succumbing to Indian government pressure and unconstitutional laws like IT Act 2008. They should have challenged the constitutional validity of IT Act 2008 that is the root cause of all these troubles. Fortunately Yahoo took Indian government to court over e-surveillance and more such litigations are expected in the near future. Let us see how cyber law of India would develop in this regard.

Friday, November 25, 2011

Yahoo Took Indian Government To Court Over E-Surveillance

E-surveillance in India has become a big nuisance for intermediaries like internet service providers (ISPs), e-commerce sites, search engines, e-mail providers, etc. The liability of Internet intermediaries for copyright violations is also well known that has further increased the troubles of intermediaries in India.

Intermediaries liability for cyber law due diligence in India has become very stringent after the information technology amendment act 2008 has been notified. Information technology act 2000 (IT Act 2000) now carries many e-surveillance, websites blocking and Internet censorship provisions.

The problem is that there are “no procedural safeguards” subject to which these wide and sweeping powers can be exercised. This is also the reason why these provisions are unconstitutional and illegal as they are violating the provisions of Indian constitution.

However, in the larger interests of their commercial activites in India, these intermediaries not only accepted the draconian amendments in the cyber law of India but they are also complying with the legal as well as illegal orders of Indian government and its agencies. However, this approach would be counter productive for them in the long run and they must come forward against such laws and draconian provisions.

Yahoo has taken a very significant step in this regard. Yahoo has approached the Delhi High Court against the Union home ministry's attempts to obtain information about nearly a dozen Yahoo IDs/IP addresses it suspects are used by Islamic terrorists and Maoists.

Yahoo has challenged the legality of the government's decision to penalise it by slapping it with a fine of Rs 11 lakh because Yahoo refused to share profile details of the users of these email ID's that are under the scanner of the agencies. Recently, the HC stayed the imposition of the fine, and sought a response from the Centre.

In its petition, Yahoo has raised questions on the right to privacy of a company that stores such sensitive data and to what extent authorities can coerce it to part with the information considered necessary to either track terror perpetrators or thwart future attacks. "The government cannot under the cloak of national security implications bypass legal procedures," the petitioner has argued, claiming the section and clauses invoked by the Union ministry to demand information from Yahoo doesn't empower the government to do so.

Yahoo has taken a bold step that even companies like Google have not been able to do so. The matter is pending before the Delhi high court that has a good chance to bring some order in the otherwise chaosed e-surveillance world of India. The issue of phone tapping and privacy violations in India is also pending before the Supreme Court of India.

The matter must also be looked from another angle. Human rights protections in cyberspace in India are not safeguarded at all. Even at the international level United Nations has not shown much interest in protecting civil liberties in cyberspace. The data privacy laws in India are also missing. In short, there is complete negation of human rights in cyberspace in the Indian context.

Yahoo’s case may bring to the knowledge of Indian courts this situation and we may expect some respect for the constitutional rights and freedoms that are seldom respected in India these days.

Sunday, September 25, 2011

E-Commerce Laws In India

Information and communication technology (ICT) has changed the way we make our commercial transactions. Even payments for such online dealings and transactions can be made through an online mode. One such commercial use of ICT is electronic commerce.

Electronic commerce in India (E-commerce in India) has slowly and steadily entered the Indian market. Toady from tickets booking to purchasing of good and services, everything happens in an online environment.

Of course, where commercial transactions occur, disputes and differences are bound to occur. To prevent and resolve these disputes we need norms, regulations and laws that are acceptable to all the stakeholders.

The e-commerce law of India is primarily incorporated in the information technology act, 2000 (IT Act 2000) that takes cares of legal obligations of both sellers and buyers of good and services in cyberspace.

The IT Act 2000 prescribes rules and norms for online contract formulation. The traditional concepts of offer, acceptance etc, as applicable under the contractual laws, have also been covered by the IT Act 2000. The only difference is that they have been customised as per the requirements of cyberspace.

However, e-commerce transactions and contracts also attract certain additional legal liabilities that e-commerce players in India are not very much aware. For instance, very few e-commerce players in India are aware that they are “intermediaries” within the meaning of IT Act 2000.

Further, other laws, including intellectual property laws, make these e-commerce players labile for civil and criminal actions. For instance, these e-commerce players can be held liable for online infringement of copyright in India of the copyright owners.

Similarly, if any person posts an offending material at the e-commerce site or otherwise deal with the e-commerce site in an illegal manner, the e-commerce site owner may find himself in trouble.

Cyber law due diligence in India is one aspect that all e-commerce site owners must frequently engage in. The present laws of India are stringent in nature and subsequently claiming ignorance of such laws would not make much difference.

Perry4Law and Perry4Law Techno Legal Base (PTLB) strongly recommend that before opening an e-commerce site or business, the owner of the same must consult a good techno legal law firm that can advice him upon all the possible and applicable aspect of e-commerce laws in India.

Friday, July 1, 2011

Microsoft And Skype Are Playing Lawful Interception Card

World over Lawful Interception Laws are cited as the reason for E-Surveillance and Eavesdropping. However, almost all of these so called Lawful Interception Laws are themselves “Unconstitutional”.

Take the example of Indian Cyber Law the Information Technology Act 2000 (IT Act 2000) that carries many draconian E-Surveillance provisions without any “Procedural Safeguards”. These provisions and laws are pressed to further the causes of e-surveillance and eavesdropping.

Research in Motion’s (RIM) Blackberry has already allowed a backdoor entry to Indian Intelligence Agencies for its cloud based Messenger Services. Now it has been reported that Skype and Microsoft have build a backdoor into the VOIP application. It is called Lawful Interception and is part of a new patent which Microsoft filed back in 2009, but is now preparing to unleash itself into our world due to its recent approval.

The US law set by CALEA (Communications Assistance for Law Enforcement Act) states that all telecommunications operators must enable their hardware and software for surveillance tracking. What is hard to understand is why Microsoft is so willing to open up its software for backdoor exploits. This creates a situation which welcomes exploits and willingly turns your computer into a revolving door for hackers.

While following a Law is not per se wrong but following an “Unconstitutional Law” is definitely wrong. Similarly following a Constitutional Law is the “Duty” of all people but following draconian, Unconstitutional and Inhumane Laws is definitely not required.

Let see who would win the battle between E-Surveillance and Human Rights Protection in Cyberspace. However, with the growing e-surveillance and eavesdropping, Self Defence Measures in Cyberspace would definitely increase in future.

Digital Preservation Mandates Of Public Records Act 1993

Digital Preservation in India and Digitilisation of traditional records are in the infancy stage. This is so because we have no Legal Framework for E-Governance in India. We have no law that mandatorily requires creation of Electronic Records. Of course, very soon such law may be required due to International pressure and National requirements.

Information Technology Act, 2000 (IT Act, 2000) is the sole Cyber Law of India. It deals with E-Commerce, E-Governance, Cyber Crimes, etc. It also provides a “Digital Framework” for ensuring Digitilisation, Electronic Documents Creation and their use in Government Departments. This “Research Report” of Perry4Law and Perry4Law Techno Legal Base (PTLB) is briefly analysing the relationship between IT Act, 2000 and Public Records Act, 1993 (PRA 1993).

Section 2 of IT Act, 200 deals with definitions that are relevant for PRA 1993 purposes. Section 2(1) provides that in this Act, unless the context otherwise requires:

(i) "Access" with its grammatical variations and cognate expressions means gaining entry into, instructing or communicating with the logical, arithmetical, or memory function resources of a computer, computer system or computer network.

(ii) "Affixing Electronic Signature" with its grammatical variations and cognate expressions means adoption of any methodology or procedure by a person for the purpose of authenticating an electronic record by means of Electronic Signature.

If documents are issued by NIA in electronic form, they have to be authenticated by using electronic signatures. Unauthenticated electronic documents would not create any right or liability either under the IT Act, 2000 or under the PRA 1993.

(iii) "Asymmetric Crypto System" means a system of a secure key pair consisting of a private key for creating a digital signature and a public key to verify the digital signature.

Digital Signatures are based upon Asymmetric Crypto System and they can be used for “Authentication Purposes” by NAI.

(iv) "Computer" means any electronic, magnetic, optical or other high-speed data processing device or system which performs logical, arithmetic, and memory functions by manipulations of electronic, magnetic or optical impulses, and includes all input, output, processing, storage, computer software, or communication facilities which are connected or related to the computer in a computer system or computer network.

(v) "Cyber Security" means protecting information, equipment, devices, computer, computer resource, communication device and information stored therein from unauthorised access, use, disclosure, disruption, modification or destruction.

Cyber Security is an issue that is of “Paramount Importance” for the NAI. When Digitilisation and Digital Preservation would be adopted by NAI, Electronic Documents and Digital Resources would be required to be protected from Cyber Attacks. A Techno Legal Strategy must be formulated by NAI in this regard.

(vi) "Data" means a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalised manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer.

(vii) "Digital Signature" means authentication of any electronic record by a subscriber by means of an electronic method or procedure in accordance with the provisions of section 3.

(viii) "Electronic Form" with reference to information means any information generated, sent, received or stored in media, magnetic, optical, computer memory, micro film, computer generated micro fiche or similar device.

(ix) "Electronic Record" means data, record or data generated, image or sound stored, received or sent in an electronic form or micro film or computer generated micro fiche.

(x) "Electronic signature" means authentication of any electronic record by a subscriber by means of the electronic technique specified in the second schedule and includes digital signature.

(xi) "Information" includes data, message, text, images, sound, voice, codes, computer programmes, software and databases or micro film or computer generated micro fiche.

(xii) "Intermediary" with respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web hosting service providers, search engines, online payment sites, online-auction sites, online market places and cyber cafes.

(xiii) "Key Pair", in an asymmetric crypto system, means a private key and its mathematically related public key, which are so related that the public key can verify a digital signature created by the private key.

(xiv) "Private Key" means the key of a key pair used to create a digital signature.

(xv) "Public Key" means the key of a key pair used to verify a digital signature and listed in the Digital Signature Certificate.

(xvi) "Secure System" means computer hardware, software, and procedure that-

(a) Are reasonably secure from unauthorised access and misuse;

(b) Provide a reasonable level of reliability and correct operation;

(c) Are reasonably suited to performing the intended functions; and

(d) Adhere to generally accepted security procedures.

(xvii) "Security Procedure" means the security procedure prescribed under section 16 by the Central Government.

(xviii) "Verify" in relation to a digital signature, electronic record or public key, with its grammatical variations and cognate expressions means to determine whether:

(a) The initial electronic record was affixed with the digital signature by the use of private key corresponding to the public key of the subscriber;

(b) The initial electronic record is retained intact or has been altered since such electronic record was so affixed with the digital signature.

Section 2 (2) of the IT Act, 2000 provides that any reference in this Act to any enactment or any provision thereof shall, in relation to an area in which such enactment or such provision is not in force, be construed as a reference to the corresponding law or the relevant provision of the corresponding law, if any, in force in that area.

Section 4 of the IT Act, 2000 provides Legal Recognition to Electronic Records. It says that where any law provides that information or any other matter shall be in writing or in the typewritten or printed form, then, notwithstanding anything contained in such law, such requirement shall be deemed to have been satisfied if such information or matter is

(a) Rendered or made available in an electronic form; and

(b) Accessible so as to be usable for a subsequent reference

Section 5 of the IT Act, 2000 provides legal recognition to Electronic Signature. It says that where any law provides that information or any other matter shall be authenticated by affixing the signature or any document should be signed or bear the signature of any person then, notwithstanding anything contained in such law, such requirement shall be deemed to have been satisfied, if such information or matter is authenticated by means of digital signature affixed in such manner as may be prescribed by the Central Government.

Explanation to section 5 provides that for the purposes of this section, "Signed", with its grammatical variations and cognate expressions, shall, with reference to a person, mean affixing of his hand written signature or any mark on any document and the expression "Signature" shall be construed accordingly.

Section 6 of the IT Act, 2000 deals with use of Electronic Records and Electronic Signature in Government and its agencies. Section 6(1) of the Act provides that where any law provides for

(a) The filing of any form, application or any other document with any office, authority, body or agency owned or controlled by the appropriate Government in a particular manner;

(b) The issue or grant of any licence, permit, sanction or approval by whatever name called in a particular manner;

(c) The receipt or payment of money in a particular manner, then, notwithstanding anything contained in any other law for the time being in force, such requirement shall be deemed to have been satisfied if such filing, issue, grant, receipt or payment, as the case may be, is effected by means of such electronic form as may be prescribed by the appropriate Government.

Section 6(2) of the Act provides that the appropriate Government may, for the purposes of sub-section (1), by rules, prescribe -

(a) The manner and format in which such electronic records shall be filed, created or issued;

(b) The manner or method of payment of any fee or charges for filing, creation or issue any electronic record under clause (a).

Section 6A (1) of the IT Act, 2000 provides that the appropriate Government may, for the purposes of this Chapter and for efficient delivery of services to the public through electronic means authorise, by order, any service provider to set up, maintain and upgrade the computerised facilities and perform such other services as it may specify, by notification in the Official Gazette.

The Explanation to Section 6A (1) of the IT Act, 2000 provides that for the purposes of this section, service provider so authorised includes any individual, private agency, private company, partnership firm, sole proprietor form or any such other body or agency which has been granted permission by the appropriate Government to offer services through electronic means in accordance with the policy governing such service sector.

Section 6A of the IT Act, 2000 reflects the intention of Indian Government to provide Electronic Services Delivery in India. In fact, Electronic Services Delivery Bill, 2011 has already been proposed and if implemented would ensure many Electronic Services to Indians.

NAI must start working in the direction of providing its Service Online, if not already done. Even the non-service related matters and matters pertaining to the NAI are already required to be provided online in an Electronic Form as per the requirements of Section 4(1) of the RTI Act, 2005.

Section 7 of the IT Act, 2000 deals with retention of electronic records. Section 7(1) of the Act provides that where any law provides that documents, records or information shall be retained for any specific period, then, that requirement shall be deemed to have been satisfied if such documents, records or information are retained in the electronic form, if-

(a) The information contained therein remains accessible so as to be usable for a subsequent reference;

(b) The electronic record is retained in the format in which it was originally generated, sent or received or in a format which can be demonstrated to represent accurately the information originally generated, sent or received;

(c) The details which will facilitate the identification of the origin, destination, date and time of dispatch or receipt of such electronic record are available in the electronic record.

The Proviso to Section 7 (1) provides that this clause does not apply to any information which is automatically generated solely for the purpose of enabling an electronic record to be dispatched or received.

NAI can convert its Records and Public Records into Electronic Form. Digital Preservation of Records or Public Records can also be done by NAI. While current records can be digitilised non current records can be digitilised and made available to public and researchers as the Electronic Services by NAI.

Section 7(2) of the Act provides that nothing in this section shall apply to any law that expressly provides for the retention of documents, records or information in the form of electronic records.

For instance, the RTI Act, 2005 provides for creating of many records in digital form and available to the public in an online environment. Similarly, the proposed Electronic Services Delivery Bill 2011 also requires providing of Services in online environment. This would also require digitilisation of Records and Public Records by NAI.

Section 7A of the IT Act, 2000 provides that where in any law for the time being in force, there is a provision for audit of documents, records or information, that provision shall also be applicable for audit of documents, records or information processed and maintained in electronic form.

Audit of Electronic Documents would also be undertaken in future. Just like NAI has to maintain proper paper based documents, it would be required to main proper Electronic Records as well.

Section 8 of the IT Act, 2000 provides that where any law provides that any rule, regulation, order, bye-law, notification or any other matter shall be published in the Official Gazette, then, such requirement shall be deemed to have been satisfied if such rule, regulation, order, bye-law, notification or any other matter is published in the Official Gazette or Electronic Gazette.
The proviso to section 8 provides that where any rule, regulation, order, bye-law, notification or any other matters published in the Official Gazette or Electronic Gazette, the date of publication shall be deemed to be the date of the Gazette which was first published in any form.

NAI can publish its Rules, Regulations, etc in Electronic Gazette.

Section 9 of the IT Act, 2000 provides that Sections 6, 7 and 8 would not to confer right to insist document should be accepted in electronic form. Section 9 says that nothing contained in sections 6, 7 and 8 shall confer a right upon any person to insist that any Ministry or Department of the Central Government or the State Government or any authority or body established by or under any law or controlled or funded by the Central or State Government should accept, issue, create, retain and preserve any document in the form of electronic records or effect any monetary transaction in the electronic form.

This is a real “Disabling Provision” that is preventing the actual accomplishment of Electronic Services Delivery in India. By making it “Discretionary” India Government has kept at bay for long the Electronic Delivery of Services to Indians. The latest proposed Electronic Services Delivery Bill 2011 addresses a very small and insignificant portion of the Electronic Delivery of Services in India and till now Electronic Services cannot be claimed as a “Matter of Right”.

However, by virtue of RTI Act, 2005 “Providing Information” about Governmental Departments in Electronic Form has been made “Compulsory”. But till now there is no Law or Provision that makes Delivery of Electronic Services Mandatory in India. This is a “Serious Issue” that must be resolved as soon as possible.

Section 11 of the IT Act, 2000 deals with attribution of Electronic Records. Section 11 says that an electronic record shall be attributed to the originator

(a) If it was sent by the originator himself;

(b) By a person who had the authority to act on behalf of the originator in respect of that electronic record; or

(c) By an information system programmed by or on behalf of the originator to operate automatically.

There may be other provisions of IT Act, 2000 that may be relevant for NAI and PRA 1993 purposes. But for the time being, they are not mandatory in nature. We hope this “Research Report” by Perry4Law and PTLB would be useful for Government Departments in general and national archives of India in particular.

Sunday, March 6, 2011

E-Discovery In India And Its Uses

By
Baljeet Singh

Electronic discovery has many purposes to achieve. It can be used as an effective measure to prevent frauds from being committed by timely detection of suspicious activities. It can also be used for detection of these frauds and crimes after their commission. Thus, e-discovery is both preventive and curative in nature.

E-discovery must be regulated by a legal framework to give it legitimacy. E-discovery law in India has still to be enacted. Although India has the cyber law of India incorporated in the form of information technology act 2000 (IT Act 2000) yet it is far from being sufficient for cyber forensics and e-discovery purposes. Suitable legislation in this regard is urgently needed in India.

E-discovery is also relevant for law enforcement, lawyers and judiciary. Legal and judicial fraternity of India needs a temperament for scientific knowledge. This includes knowledge about cyber law, cyber forensics, digital evidencing and e-discovery.

E-discovery requirements for banks in India have also significantly increased due to the recent guidelines by Reserve Bank of India that requires banks in India to exercise cyber due diligence and adopt sound cyber security practices.

E-discovery can also supplement due diligence, incidence response and periodic inspection of computers and other technology related systems. This helps in timely detection of frauds and other crimes.

We have a single techno legal e-courts training and consultancy centre of India. It is managed by Perry4Law Techno Legal Base (PTLB). It provides techno legal research, training and education in the fields like digital evidencing in India, e-discovery in India, e-courts training in India, judges training, etc.

Friday, March 4, 2011

Chief Information Officers (CIOs) Made Mandatory For All Banks In India

Reserve Bank of India (RBI) executive director G Gopalakrishna recently said that all banks would have to create a position of chief information officers (CIOs) as well as steering committees on information security at the board level at the earliest. G Gopalakrishna further said the banks will have to implement the facility of "second factor verification" at merchant establishments and ATMs shortly.

The requirements are arising out of the two recently released documents by RBI. The first document is a report of its working group on information security, electronic banking, technology risk management, and cyber frauds. In this report, the RBI mandated cyber due diligence for banks in India.

The second document is known as information technology vision document for 2011-17 (IT Vision 2011-17). The vision document envisages that all banks in India now would have to create a position of CIOs as well as steering committees on information security. These requirements must be fulfilled at the highest level of board of directors. The vision document also requires that while following the above, legal aspects relating to the provisions of the Acts such as Payments and Settlement Act, 2007 and IT Act, 2000 may be strictly adhered to.

This requirement of CIO/CTO is arising because many small banks do not have a designated CTO and also do not have a clear framework on information sharing. RBI is interested in gradual shift to an online system where it can access all the information from the main server of the bank once the RBI's IT Vision is implemented. Those banks having no CIO/CTOs and a steering committee are now required to have these requirements fulfilled as soon as possible.

The objectives of vision document are to ensure the use of information technology beyond core banking and into newer areas like management of information systems (MIS) and better regulatory reporting.

The vision document has been prepared by a high-level committee chaired by deputy governor K.C. Chakrabarty. The vision document also recognises the growing operational risks arising out of adopting technology in the banking sector like use of Internet banking, which could affect financial stability.

If the vision document is fully implemented, it will ensure that the RBI gets access to the servers of all banks, including foreign banks so that it has access to all the banking transactions. Further, the vision document also emphasises on the need for internal controls, risk mitigation systems, fraud detection/prevention and business continuity plans. These are good banking reforms and they must be implemented by banks in India as soon as possible.

Tuesday, November 24, 2009

CYBER TERRORISM IN INDIA AND ITS SOLUTIONS

Cyber terrorism is a controversial term. Some authors choose a very narrow definition, relating to deployments, by known terrorist organizations, of disruption attacks against information systems for the primary purpose of creating alarm and panic. By this narrow definition, it is difficult to identify any instances of cyber terrorism. Cyber terrorism can also be defined much more generally, for example, as “The premeditated use of disruptive activities, or the threat thereof, against computers and/or networks, with the intention to cause harm or further social, ideological, religious, political or similar objectives or to intimidate any person in furtherance of such objectives.” This broad definition was created by Kevin G. Coleman of the Technolytics Institute.[1]

The National Conference of State Legislatures (NCSL), a bipartisan organization of legislators and their staff created to help policymakers of all 50 states address vital issues such as those affecting the economy or homeland security by providing them with a forum for exchanging ideas, sharing research and obtaining technical assistance defines cyber terrorism as follows:

“The use of information technology by terrorist groups and individuals to further their agenda. This can include use of information technology to organize and execute attacks against networks, computer systems and telecommunications infrastructures, or for exchanging information or making threats electronically. Examples are hacking into computer systems, introducing viruses to vulnerable networks, web site defacing, Denial-of-service attacks, or terroristic threats made via electronic communication.[2]

In May 2007 Estonia was subjected to a mass cyber-attack in the wake of the removal of a Russian World War II war memorial from downtown Talinn. The attack was a distributed denial-of-service attack in which selected sites were bombarded with traffic in order to force them offline; nearly all Estonian government ministry networks as well as two major Estonian bank networks were knocked offline.

The traditional concepts and methods of terrorism have taken new dimensions, which are more destructive and deadly in nature. In the age of Information and Communication Technology (ICT) terrorists have acquired an expertise to produce the most deadly combination of weapons and technology, which if not properly safeguarded in due course of time, will take its own toll. The damage so produced would be almost irreversible and most catastrophic in nature. In short, we are facing the worst form of terrorism popularly known as "Cyber Terrorism".

The definition of "cyber terrorism" cannot be made exhaustive as the nature of crime is such that it must be left to be inclusive in nature. The nature of "cyberspace " is such that new methods and technologies are invented regularly; hence it is not advisable to put the definition in a straightjacket formula or pigeons hole. In fact, the first effort of the Courts should be to interpret the definition as liberally as possible so that the menace of cyber terrorism can be tackled stringently and with a punitive hand. The law dealing with cyber terrorism in India is, however, not adequate to meet the precarious intentions of these cyber terrorists and requires a rejuvenation in the light and context of the latest developments all over the world.

The laws of India have to take care of the problems originating at the international level because the Internet, through which these terrorist activities are carried out, recognises no boundaries. Thus, a cyber terrorist can collapse the economic structure of a country from a place with which India may not have any reciprocal arrangements, including an "extradition treaty". The only safeguard in such a situation is to use the latest technology to counter these problems. Thus, a good techno-legal combination of the latest security technology and a law dealing with cyber terrorism is the need of the hour.

The most common method for cyber terrorism is the use of distributed denial of services attacks (DDOS) to overburden the Government and its agencies electronic bases. This is made possible by first infecting several unprotected computers by way of virus attacks and then taking control of them. Once control is obtained, they can be manipulated from any locality by the terrorists. These infected computers are then made to send information or demand in such a large number that the server of the victim collapses. Further, due to this unnecessary Internet traffic the legitimate traffic is prohibited from reaching the Government or its agencies computers. This results in immense pecuniary and strategic loss to the government and its agencies. It must be noted that thousands of compromised computers can be used to simultaneously attack a single host, thus making its electronic existence invisible to the genuine and legitimate netizens and end users.
The main aim of cyber terrorist activities is to cause networks damage and their disruptions. This activity may divert the attention of the security agencies for the time being thus giving the terrorists extra time and makes their task comparatively easier. This process may involve a combination of computer tampering, virus attacks, hacking, etc.

The menace of cyber terrorism in India can be effectively curbed, if not completely eliminated, if the three sovereign organs of the Constitution work collectively and in harmony with each other. Further, a vigilant citizenry can supplement the commitment of elimination of cyber terrorism.

The judiciary can play its role by adopting a stringent approach towards the menace of cyber terrorism. It must, however, first tackle the jurisdiction problem because before invoking its judicial powers the courts are required to satisfy themselves that they possess the requisite jurisdiction to deal with the situation. Since the Internet "is a cooperative venture not owned by a single entity or government, there are no centralized rules or laws governing its use. The absence of geographical boundaries may give rise to a situation where the act legal in one country where it is done may violate the laws of another country. This process further made complicated due to the absence of a uniform and harmonised law governing the jurisdictional aspects of disputes arising by the use of Internet.

Generally, the scholars point towards the following "theories" under which a country may claim prescriptive jurisdiction:

(a) a country may claim jurisdiction based on "objective territoriality" when an activity takes place within the country,

(b) a "subjective territoriality" may attach when an activity takes place outside a nation's borders but the "primary effect" of the action is within the nation's borders,

(c) a country may assert jurisdiction based on the nationality of either the actor or the victim,

(d) in exceptional circumstances, providing the right to protect the nation's sovereignty when faced with threats recognised as particularly serious in the international community.

In addition to establishing a connecting nexus, traditional international doctrine also calls for a "reasonable" connection between the offender and the forum. Depending on the factual context, courts look to such factors, as whether the activity of individual has a "substantial and foreseeable effect" on the territory, whether a "genuine link" exists between the actor and the forum, the character of the activity and the importance of the regulation giving rise to the controversy, the extent to which exceptions are harmed by the regulation, and the importance of the regulation in the international community. The traditional jurisdictional paradigms may provide a framework to guide analysis for cases arising in cyberspace.[3] It must be noted that by virtue of section 1(2) read with section 75 of the Information Technology Act, 2000 the courts in India have “long arm jurisdiction” to deal with cyber terrorism.

The menace of cyber terrorism is not the sole responsibility of State and its instrumentalities. The citizens as well as the netizens are equally under a solemn obligation to fight against the cyber terrorism. In fact, they are the most important and effective cyber terrorism eradication and elimination mechanism. The only requirement is to encourage them to come forward for the support of fighting against cyber terrorism.

The government can give suitable incentives to them in the form of monetary awards. It must, however, be noted that their anonymity and security must be ensured before seeking their help. The courts are also empowered to maintain their anonymity if they provide any information and evidence to fight against cyber terrorism.

The problem of cyber terrorism is multilateral having varied facets and dimensions. Its solution requires rigorous application of energy and resources. It must be noted that law is always seven steps behind the technology. This is so because we have a tendency to make laws when the problem reaches at its zenith. We do not appreciate the need of the hour till the problem takes a precarious dimension. At that stage it is always very difficult, if not impossible, to deal with that problem. This is more so in case of offences and violations involving information technology. A timely and appropriate legislation is always a good step forward to fight cyber terrorism. India has to cover a long gap before it can secure its traditional boundaries and cyber space.

[1] http://en.wikipedia.org/wiki/Cyberterrorism

[2] Id.

[3] Dawson Cherie; “Creating Borders on the Internet- Free Speech, the United States and International Jurisdiction”, Virginia Journal of International Law, V-44, No-2 (Winter, 2004).

© ALL RIGHTS RESERVED. COPYRIGHT PRAVEEN DALAL.