India: Information Technology Act: Danger of Violation of Civil Rights

Subject: [huridocs-tech] India: Information Technology Act: Danger of Violation of Civil Rights
Date: Sat, 30 Aug 2003 19:26:49 +0100
The Economic and Political Weekly [Bombay, India]
August 23, 2003
Special Article


Information Technology Act: Danger of Violation of Civil Rights

The Information Technology Act raises very real concerns. It 
demonstrates a legislature deeply sceptical of the internet, rooted 
in the conventions of the past, yet battling with the need for an 
information technology law in the present-day circumstances. This 
straddling of the known and the unknown has strange results. In its 
desperate need to bring in some security for activity on the net, it 
relies heavily on the executive, little realising that it can result 
in violation of civil rights particularly, in the light of India's 
infamous emergency. The absolute control it attempts to achieve over 
certifying authorities is worrying for the same reason. The act lacks 
balance.

Sruti Chaganti

I
Introduction

When I say the brain is a machine, it is meant not as an insult to 
the mind but as an acknowledgment of the potential of a machine. I do 
not believe that a human mind is less than what we imagine it to be, 
but rather that a machine can be much, much more.1

- W Daniel Hillis
The Pattern on the Stone

>From Charles Babbage's first computer far back in the 1800s to the 
military network of 40 computers in the US connected by links and 
lines in 1969 called the Advanced Research Projects Agency Network 
(ARPANET) to the internet as we know it today, a world wide web that 
links the globe through 50 million nodes, a network of 233.3 million 
computers and a user group of 163 million individuals/entities,2 
technology and therefore life has progressed into a world which seeks 
to obliterate barriers of economy, polity, society and administration.

When Prannoy Roy gaped at Sabeer Bhatia's description of his life on 
the net3 from business through entertainment to shopping for fresh 
vegetables, I agreed with Roy. But today the net has indeed overtaken 
conventional living. Business on the net is easy and with the variety 
of services offered it is of little wonder that people are 
increasingly turning to the net for everyday living. The future lies 
there - in a network of computers spanning the globe.

It becomes imperative then that government services are also 
delivered online. This could prove to be a blessing for the net 
entails transparency and accessibility of information: the lifeblood 
of any democracy. Corruption and red tapism, the greatest evils of 
modern governments can be thwarted fairly successfully. And for 
ordinary users - if they can buy vegetables and pay their bank dues 
on the net shouldn't they also be able to pay their electricity bills 
and apply for is licences online?

If e-governance and e-commerce are to be viable options, electronic 
records and digital signatures must gain legal validity. If the 
courts of law refuse to enforce a contract or validate a licence, 
entered into or obtained on the net, the growth potential of the 
internet will be severely retarded.

And yet the internet is not all goodness and opportunity. The World 
Wide Web is the playground of a new sort of criminal - one who revels 
in the anonymity offered by a network of millions of computers and 
whose apprehension legal systems across the world are battling with 
rather unsuccessfully. The internet challenges every single 
convention and belief that traditional legal systems are based upon. 
Benjamin Wittes is said to have remarked:


Suppose you wanted to witness the birth and development of a legal 
system. You would need a large complex system that lies outside of 
all other legal authorities. Moreover, you would need that system 
somehow to accelerate the seemingly millennial progress of legal 
development, so you would witness more than a moment of progress. The 
hypothetical system might seem like a social scientist's fantasy, but 
it actually exists. It's called the Internet.4


It is to enable online governance and to grant legal recognition to 
electronic records and digital signatures that the Information 
Technology Act was passed. The act attempts to regulate life on the 
net and counteract known dangers to security and privacy of 
information. In doing so, it has set up a regulatory mechanism that 
is distinguished by the stranglehold the central government has been 
granted on all matters pertaining. The act has been the subject of 
severe criticism for the extent of executive discretion, immunity for 
executive actions, disproportionate penalties and the introduction of 
a system so tedious and complex that it is bound to hamper the 
progress of life on the net for Indians. Worse still is the extensive 
power granted to the state to impinge on the privacy of netizens.

This paper examines the feasibility of e-governance in light of the 
provisions of the act and the very real dangers in following through 
with it. An analysis is made in light of the UNCITRAL model 
provisions, the insecurity of the net and the existing legal system. 
The emphasis is on administrative functioning or malfunctioning and 
its impact on the fulfilment of the intentions of the act.

II
E-Governance

The Preamble of the Information Technology Act, in one of its clauses, reads:


and WHEREAS it is considered necessary to give effect to the said 
resolution and to promote efficient delivery of governance services 
by means of reliable electronic records; be it enacted by the 
Parliament in the fifty-first year of the Republic of India as 
follows...


The United Nations Commission on International Trade Law adopted the 
model law on electronic commerce which was then adopted by the 
General Assembly in a resolution5  that requires the states to give 
favourable consideration to the model law when enacting or revising 
their laws of similar import. India accordingly enacted the ITA 2000 
keeping in view the provisions of the UNCITRAL model law.

Section 4 of the Information Technology Act titled 'Legal Recognition 
of Electronic Records' lays down that where any law requires that any 
information/matter shall be in writing/ type-written/printed form, 
then notwithstanding anything contained in such law, such requirement 
shall be deemed to have been satisfied if such information or matter 
is (a) Rendered or made available in electronic form; and (b) 
Accessible so as to be usable for subsequent reference.

The one section combines the import of both articles 5 and 6 of the 
UNCITRAL Model Law.6 There is no provision in the ITA however which 
corresponds to paragraph 3 of article 6 of the said Model which 
allows an enacting state to exclude certain specified situations from 
the application of the functional equivalence doctrine where an 
enacting state does not wish to establish such a complete equivalence 
as in the case of cheques, wills, negotiable instruments, etc.7 
However if such a provision might have been redundant in the light of 
section 9 which lays down that nothing contained in sections 6,7 and 
8 confer any right upon any person to insist that any ministry or 
department of the central government or state government or any other 
authority/body established by/under law or controlled/funded by the 
central/state government should accept/issue/create/retain/preserve 
any document in the form of electronic records or effect any monetary 
transaction in the electronic form.

Section 5:8'Legal Recognition of Digital Signatures' lays down that 
where any law requires that information/other matter should be 
authenticated by signature, then notwithstanding anything contained 
in such law, the requirement will be deemed to have been fulfilled if 
authenticated by means of a digital signature affixed in the manner 
prescribed by the central government.

Section 16 lays down that the central government prescribed the 
security procedure having regard to commercial circumstances 
prevailing at the time when the procedure was used including: (a) the 
nature of the transaction; (b) the level of sophistication of the 
parties with reference to their technological capacity; (c) the 
volume of similar transactions engaged in by other parties; (d) the 
availability of alternatives offered to but rejected by any other 
party; (e) the cost of alternative procedures; and (f) the procedures 
in general used for similar types of transactions or communications.

However section 15 lays down that if by application of a security 
procedure agreed to by the parties concerned it can be verified that 
a digital signature, at the time it was affixed, was: (a) unique to 
the subscriber affixing it; (b) capable of identifying such 
subscriber; and (c) created in a manner or using a means under the 
exclusive control of the subscribed and is linked to the electronic 
record to which it relates in such a manner that if the electronic 
record was altered, the digital signature would be invalidated, then 
such signature shall be deemed to be a secure digital signature.

While the tenor of section 16 is that the security requirements of a 
signature will be determined by central government rules, the 
inference of section 15 is that private parties also can work out 
their own security procedures. Yet the tone and tenor of the entire 
act and the rules does not bear out the latter inference. Is this a 
contradiction in terms? Or, is there a plausible interpretation?

Section 6 of the ITA lays down the foundation of electronic 
governance. By sub-section (1) it allows for the filing of any form, 
application or other documents, creation, retention or preservation 
of records issue a grant of any licence or permit or receipt or 
payment in government offices and its agencies may be done through 
the means of electronic form.

Sub-section (2) provides for the making of rules by the appropriate 
government to prescribe: (a) the manner and format in which such 
electronic records shall be filed, created or issued; (b) the manner 
or method payment of any fee or charges for filing, creation or issue 
any electronic record under clause (a). This legislation is 
particularly useful because it allows for such online filing without 
piecemeal amendments having to be made to different acts. Section 9, 
which has already been discussed, allows for this to happen on an 
"opt-in" basis so that those agencies which are not yet ready to go 
"paperless" are not compelled to do so. But whether such a blanket 
exemption should have been granted instead of an adequate timeframe 
is debatable.

Section 79  deals with the 'Retention of Electronic Records'. 
Sub-section (1) lays down that where the law requires certain 
documents, records or information be retained, that requirement is 
met by retaining data messages, providing certain conditions are 
satisfied: (a) the information contained therein is accessible so as 
to be usable for subsequent reference; (b) the data message is 
retained in the format in which it was generated sent or received, in 
a format which can be demonstrated to represent accurately the 
information generated, sent or received; and (c) such information, if 
any, is retained as enables the identification of the original and 
destination of data message and the date and time when it was sent or 
received.

The proviso to the sub-section reads: An obligation to retain 
documents, records or information in accordance with sub-section (1) 
does not extend to any information the sole purpose of which is to 
enable the message to be sent or received. Sub-section (2) lays down 
that nothing in the section shall apply to any law that expressly 
provides for the retention of documents, records or information in 
the form of electronic records.

Section 8 of the ITA provides for the publication of an Electronic 
Gazette with a proviso which states that where any 
rule/regulation/order/by-law/notification/any other matter is 
published in the official Gazette or in the Electronic Gazette, the 
date of publication shall be deemed to be the date of that official 
Gazette which was first published in any form.

Section 10 gives the central government the power to make rules so as 
to prescribe (a) the type of digital signature; (b) the manner and 
format in which the digital signature shall be affixed; (c) the 
manner or procedure which facilitates identification of the person 
affixing the digital signature; (d) control processes and procedures 
to ensure adequate integrity, security and confidentiality of 
electronic records or payments, and (e) any other matter which is 
necessary to give legal effect to digital signatures.

While the ITA 2000 has gone along with the UNCITRAL model provisions 
a good distance, it has made subtle but significant changes which 
leads one to question whether the act succeeds in what it sets out to 
do. Section 9 is a major drawback as it leaves a large amount of 
discretion in the hands of the government as to whether or not to go 
online. While it is a fact that the government needs time to break 
conventions over a hundred years old and to train employees to catch 
up with modern technology, the absence of any kind of time frame can 
seriously hamper e-governance becoming a feasible option in the near 
future.

III
Electronic Records and Digital Signatures

Section 3(18) of the General Clauses Act, 1879 defines document as 
"any matter written, expressed or described upon any substance by 
means of letter, figure or marks, or by more than one of these means 
which is intended to be used, or which may be used for the purpose of 
recording that matter".10 

Information on the computer is stored as bits and bytes, the 
electronic equivalent of zeros and ones. It is thus argued that these 
zeros and ones are expressions on the computer disc in the form of a 
figure or mark thereby classifying electronic records as documents 
under Indian law.11

Section 11 of the ITA lays down that an electronic record shall be 
attributed to the originator if it was sent (a) by the originator 
himself; (b) by a person who had the authority to act on behalf of 
the originator in respect of that electronic record; or (c) by an 
information system programmed by or on behalf of the originator to 
operate automatically.

The General Clauses Act does not define signature anywhere but 
explains 'sign' with its grammatical variations and cognate 
expressions, with reference to person, to mean affixing of his 
handwritten signature or any mark on any document. It is argued that 
if a person can introduce such information to any document so as to 
authenticate authorship, it will be construed as a signature whether 
written or printed and so digital signatures are also covered.12

Section 4 of the ITA provides for a subscriber to authenticate an 
electronic record by affixing his digital signature by the use of 
"asymmetric crypto system which envelop and transform the initial 
electronic record into another electronic record".

While the UNCITRAL model provisions have chosen to be technology 
neutral when it comes to methods of digital signatures, the ITA has 
made it clear that a digital signature has to be using the asymmetric 
crypto system.

'Cryptography' is derived from Greek words that mean "secret writing" 
and involves the process of encryption and decryption. Encryption is 
the process of transforming plain text into unintelligible form and 
decryption is the process of converting the unintelligible data back 
into the original plain text.13 Encryption can be used for two 
purposes: (1) Maintaining the confidentiality of the message; and (2) 
Affixing a digital signature.

In the former case the text itself is converted using an algorithm 
into cipher text so as to ensure that those who are not intended to 
read the message do not read it. The process used is called symmetric 
cryptography, or secret key cryptography. In this process the same 
key or algorithm that is used to encrypt also has to be used to 
decrypt.

Owing to the disadvantages of symmetric cryptography,14 the 
asymmetric crypto system came into place. The system envisages the 
use of two keys - a public key and a private key. The explanation to 
sub-section (2) to section 3 reads "For the purpose of this 
sub-section, 'hash function' means an algorithm mapping or 
translation of one sequence of bit into another, generally smaller 
set known as 'hash result' such that an electronic record yields the 
same hash result every time the algorithm is executed with the same 
electronic record as its input making it computationally infeasible 
(a) to derive or reconstitute the original record from the hash 
result produced by the algorithm; (b) that two electronic records can 
produce the same result using the algorithm."15

Thus to create a digital signature, the following would be involved:

(1) Section 2 (1) (zc) of the ITA defines a 'private key' as the key 
pair used to create a digital signature.
(2) Section 2(1) (zd) of the ITA defines a 'public key' as the key of 
a key pair used to verify a digital signature and which is listed in 
the digital signature.
(3) The information that has to be signed is delimited and is 
popularly known as the 'message'.
(4) On this message the hash function is applied which compresses the 
information in a digital form known as the 'hash result' or the 
'message digest'. The hash function computes a result of standard 
length which is unique to the electronic record and in such a way 
that it is impossible to reconstruct the original data from the hash 
results and for two electronic records to produce the same result 
using the same function.
(5) The signatory uses his private key to encrypt the data and this 
is his digital signature.
(6) He appends the original message to the digital signature and 
sends it electronically to the addressee.
(7) The addressee decrypts the signature using his public key and 
recovers the message digest.
(8) He then applies the hash function on the plain text message 
attached and derives its hash result.
(9) He ompares the two message digests to ensure that there has been 
no tampering.
The public key and private key are large numbers of a string of data 
produced by using a series of formulae and are mathematically related 
to each other.16 The security and confidentiality of the private key 
are imperative for the system to be successful. Its major advantage 
lies in the fact that the public key can be made freely available by 
publication in a directory, online repository and even visiting cards 
without compromising the security of the private key provided the 
system is designed well enough to prevent hacking. Yet critics of 
this system find its security a severely debatable point.

IV
Insecurity of the Net

The UNCITRAL model law concentrates upon two basic functions of a 
signature to identify the author of a document and to confirm that 
the author approved the content of the document.

An electronic signature means any letters, characters, numbers or 
other symbols in digital form or attached to or logically associated 
with an electronic record, and executed or adopted with the intention 
of authenticating or approving the electronic record and is 
fundamentally different from a digital signature. A digital signature 
is an "electronic identifier that utilises an information security 
measure, most commonly cryptography, to ensure the integrity, 
authenticity and non-repudiation of the information to which it 
corresponds". 17 The information security measure mandated by the act 
is the asymmetric crypto system and hash function. Thus a digital 
signature serves three essential functions:

Data Integrity - indicates whether a file or message has been 
tampered with. Data Authentication - makes it possible to digitally 
(mathematically) verify the name of the person who signed the 
message. Non-repudiation - makes it impossible for the originator of 
the message to deny that it was either not sent or signed by another 
person.18

Despite this digital signature have run into problems and have been 
the subject of severe criticism by sceptics. Digital signatures have 
raised issues on the fronts of security, privacy and authenticity. 
Section 3 of the ITA Act is categorical when it comes to ensuring 
that only public key cryptography and hash function can be used to 
digitally sign documents. It is argued in favour of the provision 
that states can develop detailed regulatory schemes which in theory 
should provide for certainty and allow for infrastructure 
development. The fact that all of known systems, the asymmetric 
crypto system is hardest to crack made it the logical choice.

However, the argument against being technology specific is steadily 
building up. Limiting transactions to the said system can be harmful 
and self-destructive as it is in the process of being replaced by a 
more secure system. Further infant technology will either not be 
developed or gain a foothold in the market. The more horrifying 
possibility is that the legal system will be tied to an insecure 
system. The most ignored disadvantage however is that adopting an 
exclusive technology opens the door wide to more successful breaches 
of that technology.19 Cryptography is based on algorithms which are 
complex mathematical puzzles and it can be broken simply by solving 
the puzzle. While a simple one takes very little time, a more complex 
one just takes longer. The safety of cryptography is based on the 
complexity of the mathematical puzzle. When there is only one 
technology, efforts to break it can be that much more dedicated and 
concentrated. The use of computers makes it easier. The computer is 
simply allowed to test each mathematical possibility until the 
algorithm or mathematical solution is found. This method is called a 
'brute force attack'. The strength of the algorithm, it can be then 
said, depends on the time taken to test each mathematical possibility 
- greater the number of possibilities, greater the time taken. The 
law of averages then dictates that the solution can be found after 
only 50 per cent of the possibilities have been tested.20

Thus an argument is mooted in favour of a technology neutral approach 
on the grounds that it offers more flexibility and security. Further 
considering that legislators are not in a position to predict the 
future with cryptographic advancements or legal developments, they 
should just keep away from prescribing any one technology. And yet is 
this approach without its problems? A critique of the American law 
finds exactly this neutrality problematic. "The new law says nothing 
about technology. Any number of companies will say their digital 
signature technology is the safest and the best. We'll likely 
discover who is right through trial and error. In the meantime, the 
details of e-signatures and electronic contracts will almost 
certainly end up back in court."21 

Digital signatures are prone to 'spoofing' where a bogus public key 
is created that purports to be that of a particular person when it 
really is not. It is to address this risk that certification 
authorities are envisaged to certify that the public key is that of a 
particular person.

In the creation of these certification authorities, the act has run 
the severe risk of compromising the privacy for individuals online. 
Alan F Westen defines privacy as: "the desire of people to choose 
freely under what circumstances and to what extent they will expose 
themselves, their attitude and their behaviour to others".22 The ITA 
has made it clear that a digital signature will be valid only if it 
is obtained under the provisions of the act. This means that they 
will be forced to establish their identities with one or more 
certification authorities under the act. This is intrusive because it 
requires people to expose data about themselves that they may wish to 
keep private particularly when it is not necessary that they reveal 
such information. Three pressures have been identified that make the 
necessity felt for collecting identification information: (1) the 
Technological imperative - "it can be done, so it should be done" (2) 
the Marketing imperative - "the more the marketers know about 
consumers, the more efficient marketing communications will be, and 
the better informed the consumer is"
(3) the Social Control imperative - "the public is not to be trusted, 
and data about their behaviour is essential in order to deter 
non-compliance and detect and prosecute offenders".23 
The approach that establishing standards will counteract the evils of 
taking personal information, as in the case of Australia, for 
instance,24 does not remove the main issue. Rule 33 of the Certifying 
Authorities rules, for instance, states that such information as is 
not revealed on the digital signature certificate shall be kept 
confidential. But the fact is that the chances of that information 
indeed remaining private are slim when one takes into account the 
functioning of our bureaucracy.

One might wonder what the hue and cry about privacy is. Just as one 
fills in thousands of documents in government offices, this is just 
another one of those. Further our constitution does not expressly 
grant us the right to privacy - it has been impliedly read in. But 
the essential fact is that we are dealing with here is the internet. 
The positive resource that one creates for secondary use though such 
information being revealed to all and sundry is mind-boggling. The 
digital signature certificate is a public document - it would defeat 
the purpose otherwise. They can be published in online repositories. 
With dotcom sites stealing information and selling it unauthorisedly, 
the risks of impersonation become manifold.25 "A digital signature 
stands for a human in cyberspace � yet it can be used by others."26 

Section 39 of the ITA makes it mandatory to publish a notice of 
suspension or revocation of a certificate in an online repository. 
Section 38 allows for the revocation of a certificate on request of 
the subscriber or any person authorised by him. This creates its own 
set of problems. What if the repository is manipulated by someone? 
What if an impersonator makes a request? A digital signature is 
likened to a passport.27 If once a person's details appear in the 
online repository without any fault of his, his credibility is lost. 
And if someone impersonating the subscriber has the certificate 
revoked and the new one issued, the consequences are too horrifying 
to think of.

Generating a key pair is not inexpensive. How then is the ordinary 
user of governmental services supposed to procure one?

Expense apart, for the success of the system of digital signatures it 
is essential to maintain confidentiality of the private key and its 
safety. The key generation should be undertaken entirely under the 
control of the individual concerned. The fact that the government lay 
down the security procedure is itself a bone of contention for it is 
believed that the government would have a vested interest that a 
private key be not too secure.28 Even if one were to agree that a 
basic standard has to be set for otherwise the key pair might not be 
secure, the requirement of rule 3 (1) (b) that the procedure for 
generation of the public and private key be specified in the 
application for the grant of licence and rule 19 (vi ) that the 
encryption technique has to be approved by the controller have no 
justification.29 It is argued that "this will defeat the very purpose 
of having a secure encryption technique or else any one can break 
into the public key or private key using the technique set out for 
encryption".

The private key is usually a large number quite impossible to 
memorise. Storing it in the hard disk of a computer leaves it wide 
open to theft by a number of methods, each of which is quite 
undetectable. Storing in a floppy or CD in such a way that it does 
not enter into the memory of the computer increases its chances of 
being lost and falling into the wrong hands.30 Again there is the 
issue of back up. "Escrow" is an arrangement whereby something is 
placed on deposit with a trusted third party. This is a potentially 
dangerous proposition. An alternative to this can be worked out where 
the algorithm is broken up into several parts and stored with several 
organisations/individuals such that it is impossible for them to 
collude and yet to determine what the private key is with their bit 
of algorithm.31

While the theory is that when A wants to sign a document she performs 
a mathematical calculation using the document and a private key; then 
she appends the result of that calculation which is a signature to 
the document and sends it off. The truth is that more often that not, 
her computer does it for her for which reason, she stores the private 
key on her hard disk.32 Now there are three well known ways in which 
a system can be penetrated:

Monitoring of electronic emissions33: Most electronic communication 
devices emit electro magnetic radiation that is highly correlated 
with the information carried or displayed on them and can be read off 
the terminal in principle from a distance by equipment specially 
designed to do so.

Device penetration34: A software controlled device can be penetrated 
in a number of ways. For example, a virus may infect it, making a 
clandestine change. A message or a file can be sent to an unwary 
recipient who activates a hidden programme when the message is read 
or the file is opened; such a programme, once active, can record the 
keystrokes of the person at the keyboard, scan the mass storage media 
for sensitive data and transmit it, or make clandestine alterations 
to stored data. The virus could display one message on the screen and 
sign another by penetrating the signing software. Infrastructure 
penetration35: The infrastructure used to carry communication is 
based on software controlled devices called routers through which 
information travels in data packets. Router software can be modified 
to copy and forward all or selected traffic to an unauthorised 
computer. There are myriad ways in which data can be lifted off a 
person's computer. A digital signature authenticates the document up 
to the point of the signing computer but does not authenticate the 
link between that computer and the signatory.36 Even where the 
private key is not stolen, an honest mistake can result in a costly 
mistake. As Jessi Berst said, "there will be some volatile disasters 
in the early days when somebody's seven-year old clicks and sells the 
house or buys a car. When that happens, a pen and paper will seem 
like pretty nifty technology".37 

It is in this context where it is not easy to detect that the 
private key has been compromised that the explanation to section 42 
creates an unbreakable onus on the subscriber. In an attempt to cap 
the liability on the CA and the addressee, the explanation declares 
that the subscriber shall be liable till he has informed the 
certifying authority that the private key has been compromised.

V
Administrative Control

In an attempt to counteract the known dangers to digital signatures 
and transactions on the net, the ITA has set up a regulatory 
mechanism in such a way that it almost defeats the dual purpose of 
facilitating e-transactions and securing them.

Strangulating Administrative Control


Section 17: Appointment of Controller and Other Officers

(1) The central government may by notification in the official 
Gazette, appoint a controller of certifying authorities for the 
purposes of this Act and may also by the same or subsequent 
notification, appoint such numbers of deputy controllers and 
assistant controllers as it deems fit.
(2) The Controller shall discharge his functions under this Act 
subject to the general control and directions of the central 
government


This section has thus made it clear that the Controller will be an 
officer of the central government and thus a part of the executive 
arm of the state.

Section 18 lays down the functions of which the Controller may 
perform all or some thereby granting the Controller excessive control 
over the certifying authorities. Just to mention too: clause (a) in 
exercising supervision over the activities of certifying authorities 
(there is nothing per se wrong with the supervision except that a 
perusal of the act and guidelines leads one to understand that such 
supervision can be terribly intrusive) specifying the contents of 
different printed or visual materials and advertisements that may be 
distributed or used in respect of a digital signature, certificate 
and the public key. The act puts in place a complex system of 
licensing certifying authorities giving the Controller and therefore 
the government in demanding absolutely any kind of information before 
an application can be granted. Too short a period has been granted 
between the grant of a licence and the requirement for setting up a 
shop. Section 19 allows for the recognition of foreign certifying 
authorities by the Controller if he chooses with the approval of the 
central government.38 But section 32 requires the foreign authority 
to have a place of business in India which can prove to be a sure 
dissuasive factor to foreign authorities. Many Indians have obtained 
digital signature certificates from the international (non-Indian) 
certifying authorities like Verisign and Globalsign.39 The rules do 
not provide for the verification of these signature certificates and 
therefore invalidate almost all of them. And yet to date, no CA has 
become fully functional under the act.

Penalties and Offences

Section 42: Penalty for damage to computer, computer system, etc.
If any person without permission of the owner or any other person who 
is in charge of a computer system or computer network -
(a) accesses or secures access to it
(b) downloads, copies or extracts any data, computer data base or 
information from it
(c) introduces or causes to be introduced any computer containment or 
computer virus into it
(d) damages or causes to damaged any computer, computer system or 
computer network, data, computer database or any other programmes 
residing in it
(e) disputes or causes disruption of any computer, computer system or 
computer network
(f) denies or causes by denial of access to any person authorised to access it
(g) provides any assistance to any person to facilitate access in 
contravention of provisions of this act
(h) changes the services availed of by a person to the account of 
another person by tampering or manipulation he shall be liable to pay 
damages by way of compensation not exceeding one crore rupees to the 
person so affected.
Section 65: Tampering With Computer Source Documents

Whoever knowingly or intentionally conceals, destroys or alters, or 
intentionally or knowingly causes another to conceal destroy or alter 
any computer source code used for a computer, computer programme, 
computer system or computer network where the computer source is 
required to be kept or maintained by law for the time being in force, 
shall be punishable with imprisonment up to three years or with a 
fine which may extend up to 2 lakh rupees, or both.

Section 66: Hacking With Computer System
(1) Whoever with intent to cause or knowingly that he is likely to 
cause wrongful loss or damage to the public or any person destroys or 
deletes or alters any information residing in a computer resource or 
diminishes its value or utility or affects it injuriously by any 
means commits hacking.
(2) Whoever commits hacking shall be punished with imprisonment up to 
three years or with fine which may extend up to 2 lakh rupees or both.

As is fairly obvious, the penalties that have been imposed are 
monstrously large. These sections are much needed in view of the 
absolute insecurity of the Net and the argument is that such heavy 
penalties will have a deterrent effect. While that point is 
debatable, there are a few basic flaws in the drafting of these 
sections. Section 66 in the first instance is redundant thanks to 
section 43. But most importantly, the definition of hacking itself is 
per se wrong. It is not necessary that a hacker will 
destroy/delete/alter data. He may just enter, read the private key 
and leave the system again without having touched anything inside.

Section 44: Penalty for Failure to Furnish Information, Return, etc.

If any person was required under this act or any rules or regulations 
made thereunder to -

(a) furnish any document, return or report to the Controller or the 
certifying authority fails to furnish the same, he shall be liable to 
a penalty not exceeding one lakh and fifty thousand rupees for each 
such failure.
(b) file any return or furnish such information, books or other 
documents written in the time specified therefore in the regulations 
fails to file return or furnish the same within the time specified 
therefore in the regulations, he shall be liable to a penalty not 
exceeding 5,000 rupees for every day during which such failure 
continues.
(c) Maintain books of account or record fails to maintain the same, 
he shall be liable to pay a penalty not exceeding 10,000 rupees for 
every day during when such failure continues.

Section 45 puts in place residuary penalty - there is no express 
penalty provision, compensation amount of Rs 2,000 shall be paid.

These sections go a little overboard in the imposition of penalties. 
Notwithstanding the all intrusive control, the CAs are extensively 
liable in the above mentioned ways. There is no exception for the 
bona fide mistakes. The certification authorities are obligated to 
disclose anything which materially and adversely effect either the 
reliability of a certificate or the authority's ability to perform 
its services. If a contravention under this act for reasons outside 
the control of the CA occurs, does it mean that the CA stands to lose 
its credibility?

Governmental Access

It is this part of the act that creates the most problems and results 
in creating a system of regulation that leaves far too much 
discretion and power in the hands of the government.

Section 29: Access to Computer and Data


(1) Without prejudice to the provisions of section 68, the Controller 
or any person authorised by him shall, if he has reasonable cause to 
suspect that any contravention of the provisions of this Act, rules 
or regulations made thereunder has been committed, have access to any 
computer system, any apparatus, data, or any other material connected 
with such system, for the purpose of searching or causing a search to 
be made for obtaining any information or data contained in are 
available to such computer system.
(2) For the purpose of sub-section (1) the Controller or any person 
authorised who may by order direct any person in charge of or 
otherwise concerned with the operation of the computer system, data 
apparatus or material, to provide him with such reasonable technical 
or other assistant� as he may consider necessary.


The section empowers the controller to access any information or data 
from any computer system if he has a reasonable cause to suspect that 
any contravention of the provisions of this act has occurred. The 
controller is an aim of the executive branch of the state and is 
under the absolute control of the central government and there is 
absolutely no reason why the controller will not oblige executive 
whims. Neither the section nor the general context of the act imposes 
any kind of accountability on the controller - if anything is a 
subtle (?) attempt at excluding judicial review of actions on the 
ground that the controller had reasonable cause to suspect a 
contravention.

Section 28 (1) empowers the controller or any officer authorised by 
him to investigate any contravention of the provisions of this act. 
In doing so sub-section (2) has granted him the powers conferred on 
Income Tax authorities under chapter XIII of the Income Tax Act 1961. 
It is argued with some fervour that it shows poor appreciation of the 
nature of the internet- cyber space. The provisions of the Income Tax 
Act have been expressly designed with the view to curtail financial 
irregularities. Even if section 29 had been tempared with judicial 
authority, the effect would not have been so bad. But the section as 
it stands in conjunction with grant of powers under the Income Tax 
Act indicate a definite favour to the state of arbitrariness.

Section 80 gives any police officer not below the rank of DSP or any 
other officer of central/state government authorised by central 
government to enter any place and search and arrest without a 
warrant. And notwithstanding the provisions of the CrPC, any person 
who is suspected of having committed or committing any offence under 
the act. Though the provisions of CrPC come into play once the arrest 
is made, the conferral of powers under this section may lead to very 
real misuse.


Section 69: Directions of Controller to a Subscriber to Extend 
Facilities to Decrypt Information

(1) If the Controller is satisfied that it is necessary or expedient 
so as to do in the interest of the sovereignty or integrity of India, 
the security of the State, friendly relations with foreign states or 
public order or for preventing incitement to the Commissioner of any 
cognisable offence, for reasons to be recorded in writing by order, 
direct any agency of the Government to intercept any information 
transmitted through any computer source.
(2) The subscriber or any person in charge of the computer resource 
shall when called upon by any computer agency which has been directed 
by sub-section (1) extend all facilities and technical assistance to 
decrypt the information
(3) The subscriber or any person who fails assists the agency 
referred to in sub-section (2) shall be punished with an imprisonment 
for a term which may extend to 7 years.


In a few words, the controller has been empowered to 'intercept' any 
communication on the net. The Oxford Advanced Learners Dictionary of 
Current English defines the word intercept as 'stop or catch 
(somebody travelling or something in motion) before he or it can 
reach a destination.'40 This section therefore could be facilitating 
surveillance over a period of time without the knowledge of the 
person concerned. This is a grave infringement of the civil rights of 
citizens, particularly where the subjective satisfaction of the 
controller that such surveillance is required is all that it takes.

The controller has been granted very wide discretionary powers and 
absolutely no guidelines, checks or balances have been provided to 
determine the 'satisfaction' of the Controller.

A paltry attempt has been made in section 72 to bring some 
responsibility into the system. The section deals


save as otherwise provided in this Act or any other law for the time 
being in force, if any person who in pursuance of any of the powers 
conferred under this Act, rules or regulations made thereunder, has 
secured access to any electronic record, book, registers 
correspondence, information, document or other material without the 
consent of the person concerned discloses such electronic record, 
book, register, correspondence, information, document or other 
material to any other person shall be punished with imprisonment for 
a term which may extend to 2 years or with fine which may extend to 1 
lakh rupees or with both.


This measure has been dismissed as paltry because under this section, 
misconduct has to be proved whereas suspicion is enough for 
sub-sections (2) and (3) of section 69 to apply. Further while 
sub-section (3) of section 69 punishes a subscriber with seven years 
imprisonment, this section imposes a mere two-year imprisonment on an 
official of the state who owes a greater responsibility to both the 
state and the people.

Further, various provisions in the act will make it next to 
impossible to prove anything under this section and they are dealt 
with as under.

Immunity to Officials Under this Act


Section 82: Controller, Deputy Controller and Assistant Controllers 
to be public servants.
The presiding officer and other officers and employees of a cyber 
appellate tribunal, the Controller, The Deputy Controller and the 
Assistant Controllers shall be deemed to be public servants within 
the meaning of section 21 of the IPC.
It has been argued that it is not clear whether this is sufficient to 
bring it within the ambit of The Prevention of Corruption Act.
What is far more worrying is section 84 which reads thus:
No suit, prosecution or other legal proceedings shall be against the 
central government, the state government, the controller or any 
person acting on behalf of him, the presiding officer, adjudicating 
officers and the staff of the cyber-appellate tribunal for anything 
which is in good faith done or intended to be done in pursuance of 
this Act or any rule, regulation made thereunder.


This blanket exemption successfully thwarts any attempt at making 
these officials accountable. Absolutely anything done can be passed 
off under the 'good faith' clause.

A meagre effort is made by requiring reasons to be recorded for most 
actions to be taken under this act. But apart from the fact that the 
courts are going to be flooded with cases requiring that actions of 
controllers be struck down.

Adjudication

Section 46 provides for an adjudicating officer to be appointed by 
the central government from the executive for "holding an inquiry in 
the manner prescribed by the central government". The adjudicative 
mechanism envisaged has two major problems. One it is an extension of 
the executive and two there is nothing to suggest that any ordinary 
citizen can invoke it.

Section 48 provides for the establishment of a cyber-appellate 
tribunal by the central government and Section 49 makes it clear that 
such tribunals shall consist of one member only. A member from the 
Indian Legal Service, a sitting or retired high court judge or any 
member qualified to be a judge of the high court will be named 
presiding officer. This can create severe problems as the member may 
not be a technical man. Matters under this act are essentially 
technical and such expertise needs to be represented on the tribunal. 
Section 62 provides for appeal from the CRAT to the high court. 
Litigation explosion is going to be a definite feature under the 
provisions of the Act when more and more people who feel they have 
been wronged by the arbitrary use of the executive's powers throng 
the corridors of the court for redressal of their grievances. The 
fact that the ordinary courts are absolutely not equipped to deal 
with technical issues is only going to complicate matters.

VI
Conclusion

The Information Technology Act raises very real concerns. It 
demonstrates a legislature deeply sceptical of the internet, rooted 
in the conventions of the past, yet battling with the need for an 
information technology law in the present-day circumstances. This 
straddling of the known and the unknown has strange results. In its 
desperate need to bring in some security for activity on the net, it 
relies heavily on the executive, little realising that it can result 
in violation of civil rights particularly in light of India's 
infamous emergency. The absolute control it attempts to achieve over 
certifying authorities is worrying for the same reason. The act lacks 
balance.

While it is stated in the preamble that the act has been passed "to 
facilitate electronic filing of documents with government agencies", 
reading the act makes one question whether the government has thought 
through on what it attempts to do with the act. The World Bank and 
UNCITRAL are pushing through e-governance and e-commerce laws with 
great enthusiasm and India has with equal alacrity jumped onto the 
bandwagon. But the fact remains that though Indians are spearheading 
the IT revolution around the world, the internet in India is in its 
nascent stage. If India is attempting to put in a regulatory 
framework while going online, it is a commendable move, only the 
execution has worked out all wrong. Section 5 recognises digital 
signatures and Section 6 allows digitally signed dealings with the 
government. But for the ordinary middle class taxpayers, getting a 
digital signature under the act involves far too much hassle, too 
little security and the threat that they could be under government 
surveillance without their knowledge.


The line between the real world and the mechanical world is becoming 
more and more blurred every day. But it is not that humans are 
turning into automatons or becoming slaves to machines. No, we are 
simply growing towards each other. In the Blue Nowhere machines are 
taking our personalities and culture - our language, myths, 
metaphors, philosophy and spirit.41 


It becomes important, in this context, for any law-making body to 
think through on what the consequences of its actions will be. The 
issue of privacy is a serious one which the Act impacts on very 
unfavourably as the appendix reveals.

The Information Technology Act 2000 needs some serious reworking. The 
government needs to ask itself whether the answer to the insecurity 
to the net lies in the brute force of the executive. If e-governance 
is about facilitation, the ITA seems to be about complication.

Notes

 1 Deaver, Jeffrey; The Blue Nowhere; Pocket Star Books
 2 "Digital and Electronic Signatures" 
http://members.aol.com/Winchel3/Links/Legal/Signatures/SignaturesLegalLinks.htm
 3 Prannoy Roy hosted a talk show on BBC about the Y2K issue in which 
Sabeer Bhatia participated. Sabeer Bhatia is CEO Arzoo.com.
 4 Dhar, Ravi Kumar "State Surveillance, Citizens' Civil Rights and 
Cyber Crime: Indian Information Technology Act-2000 in Retrospect"; 
http:/jcmc.huji.ac.il/vol2/Issue1/intro.html
 5 A/RES/51/162 dt 30th January 1997.
 6 Article 5: Legal Recognition of Data Messages
Information shall not be denied legal effect, validity or 
enforceability solely on the grounds that it is a data message.

This principle is intended to be of general application and therefore 
does not establish the effectiveness, validity or enforceability of a 
data message. It embodies the doctrine of 'functional equivalence - 
that there should be no disparity of treatment between data messages 
and paper documents. "The form in which certain information is 
presented or retained cannot be used as the only reason for which 
that information is denied legal effectiveness validity or 
enforceability."
Article 6: Writing
(1) Where the law requires information to be in writing, that 
requirement is met by a data message if the information contained 
therein is accessible so as to be usable for subsequent reference. 
(2) Paragraph 1 applies whether the requirement therein is in the 
form of an obligation or whether the law simply provides consequences 
for the information not being in writing.
(3) The provisions of this article do not apply to the following [�]
Article 6 concentrates upon the notion of information being 
reproduced and read. The advantages stated in favour of written 
documents are that they can be accessed in the original at any time 
for subsequent reference. The use of the word 'accessible' in Article 
6 is intended to mean that information in the form of computer data 
should be readable and able to be interpreted, and that the software 
that might be necessary in order to satisfy those requirements may 
need to be retained. The word 'usable' is intended to cover not only 
human use but also computer processing. The requirement of 
'subsequent reference' was preferred to 'durability' or 
'non-alterability' both of which were understood to have limited 
application with regard to paper, and 'readability' and 
'intelligibility' which were passed over as too subjective as 
standards.
 7 Ryder, Rodney D.; Guide To Cyber Laws (Information Technology Act, 
2000, E-Commerce, Data protection and the Internet); Wadhwa; p 364.
 8 This section corresponds to Article 7 of the UNCITRAL Model Law: Signature


(1) Where the law requires the signature of a person, that 
requirement is met in relation to a data message if
a) A method is used to identify that person and to indicate that a 
person's approval of the information contained in the data message; 
and
(b) that method is as reliable as was appropriate for which the data 
message was generated or communicated, in light of all the 
circumstances, including any relevant agreement.
   (2) Paragraph 1 applies whether the requirement therein is in the 
form of an obligation or whether the law simply provides consequences 
in the absence of a signature.
   (3) The provisions in this article do not apply to the following 
[�] Paragraph 1(a) establishes the principle, that in an el
ectronic environment, the basic legal functions of a signature are 
performed by way of a method that identifies the originator of a data 
message and confirms that the originator approved the content of that 
message. Paragraph 1(b) establishes a flexible approach to the level 
of security to be achieved by the method of identification used under 
Paragraph 1(a). In determining whether the method used under 
paragraph 1 is appropriate legal, technical and commercial factors 
should be taken into account. The examples listed are:
(I) The sophistication of the equipment used by each of the parties
(II) The nature of their trading activity
(III) The frequency at which the commercial transactions take place 
between the parties
(IV) The kind and size of the transaction
(V) The function of signature requirements in a given statutory and 
regulatory environment
(VI) The capability of communication systems
(VII) Compliance with authentication procedures set forth by intermediaries
VIII) The range of authentication made available by the intermediary
(IX) Compliance with trade customs and practices
(X) Existence of insurance coverage mechanisms against unauthorised messages
(XI) The importance and value of the information contained in the data message
(XII) The availability of alternative methods of authentication and 
the cost of implementation
(XIII) The degree of acceptance or non-acceptance of the method 
of identification in the relevant industry or field both at the time 
the method was agreed upon and the time that the data message was 
communicated; and
(XIV) Any other relevant factor
This article establishes a basic standard of authentication both in 
circumstances where national laws leave issues of authentication 
entirely up to contracting parties to decide and where requirements 
for signature are set by mandatory provisions of national law which 
are not subject to alteration by agreement of the parties.
Article 7(3) is similar to article 6(3) in that it allows national 
legislatures to exempt specific instances from the operation of these 
provisions for the model law recognises that there may be good 
reasons for specifying instances where it is not appropriate for an 
electronically signed document to have the same effect as one with a 
hand written signature as in the case of wills and negotiable 
instruments.
 9 This section corresponds with Article 10 of the UNCITRAL model law 
titled 'Retention of Data Messages:
(1) Where the law requires certain documents, records or information 
be retained, that requirement is met by retaining data messages, 
providing certain conditions are satisfied:
(a) the information contained therein is accessible so as to be 
usable for subsequent reference
(b) the data message is retained in the format in which it was 
generated sent or received, in a format which can be demonstrated to 
represent accurately the information generated, sent or received; and
(c) such information, if any, is retained as enables the 
identification of the original and destination of data message and 
the date and time when it was sent or received.
(2) An obligation to retain documents, records or information in 
accordance with Paragraph (1) does not extend to any information the 
sole purpose of which is to enable the message to be sent or received.
(3) A person may satisfy the requirements referred to in Paragraph 
(1) by using the services of any other person, provided that the 
conditions set forth in sub-paragraphs (a) (b) (c) of Paragraph (1) 
are met.
This Article establishes a set of alternative rules for existing 
requirements regarding the storage of information. Paragraph (1) sets 
out conditions under which data messages can be stored. Sub-paragraph 
(a) reproduces conditions established under article 6 for a data 
message to satisfy the requirement of 'writing'. Sub-paragraph (b) 
emphasises that the message need not be retained unaltered as long as 
the information stored accurately reflects the data message as it was 
sent thus recognising that messages may have to be decoded or 
compressed or converted in order to be stored. Sub-paragraph (c) 
insists that transmittal information which may be necessary for the 
identification of the message be stored.
Sub-paragraph (c) establishes a distinction between those elements of 
transmittal information that are important for the identification of 
the message and those covered by paragraph (2) which are of no value 
with regard to the data message and which will automatically be 
stripped out of an incoming data message by the receiving computer 
before it actually enters the information system of the addressee.



10 Kamath, Nandan; Law Relating to Computers, Internet and 
E-Commerce- A Guide to Cyberlaws; Universal Law Publishers; p 109.
11 Ibid; p 109.
12 Basu, Subhajit and Jones, Richard "Legal Issues Affecting 
E-Commerce: A Review of the Indian Information Technology Act, 2000"; 
http://www.bileta.ac.uk/02papers/basu.html
13 supra n 10, p 118.
14 Therefore the key has to be securely transmitted to the addressee 
in order to enable him to be able to read the message. Here lies the 
primary disadvantage of the system - if the key can be securely 
transmitted, so can the message! Further, there has to be some method 
of ensuring that encrypted messages can be recovered if the private 
key is lost - retaining the technology to do so makes it easy for 
hackers. Further where there are a large number of users who will 
have to access the system, secret key cryptography is potentially 
unsafe because the risk of the key falling into the wrong hands is 
greater; ibid, pp. 118-119
15 Sood, Vivek; Cyber law Simplified; Tata McGraw Hill Publishing Co, p 443.
16 supra n 12.
17 Vishwanathan, Suresh T; The Indian Cyber law; 2nd Edition; Bharat 
Publishing House, New Delhi, 2001; p 42.
18 Mittal, D P; Law of Information Technology (Cyber law), Taxmann, p 52.
19 supra n 12.
20 Greenleaf, Graham "Privacy Implications of Digital Signatures"; 
http://www.anu.edu.au/people/Roger.Clarke/DV/DigSig.html
21 Lemos, Robert "Digital signatures a threat to privacy?"; 
http://zdnet.com.com/2100-11-519795.html?legacy=zdnn
22 supra n 4.
23 supra n 21.
24 Ibid.
25 supra n 22.
26 Ibid.
27 Ibid.
28 supra n 21.
29 supra n 4.
30 Kaner, Cem "The Insecurity of the Digital Signature"; 
http://www.badsoftware.com/digsig.htm
31 supra n 21.
32 schneier, Bruce "Why Digital Signatures Are Not Signatures"; 
http://www.counterpane.com/crypto-gram-0011.html
33 supra n 10, p 119.
34 Ibid, p 119.
35 Ibid, p 120.
36 supra n 33.
37 Berst, Jesse "Sign of Trouble: The Problem With E-Signatures"; 
http://www.zdnet.com/anchordesk/stories/story/0,10738,2604099,00.html
38 supra n 4.
39 supra n 12.
40 supra n 12.
41 supra n 1, p 75.
 


========== HURIDOCS-Tech listserv ==========
Send mail intended for the list to <huridocs-tech@hrea.org>.
Archives of the list can be found at:
http://www.hrea.org/lists/huridocs-tech/markup/maillist.php
To subscribe to the list, send a message to <majordomo@hrea.org>,
with the following text in the message: subscribe huridocs-tech
To unsubscribe from the list, send a message to <majordomo@hrea.org>,
with the following text in the message: unsubscribe huridocs-tech
If you have problems (un)subscribing, contact <owner-huridocs-tech@hrea.org>.
Prev by Date: GILC Alert, Volume 7, Issue 6 (27 August 2003)
Next by Date: WSIS: Special Coverage of WSIS at Digital Opportunity Channel
Previous by thread: Re: India: Government blocks e-group
Next by thread: India: Int'l Women's Month: ICT and the Gender Divide
[Reply to this message] [Start a new topic] [Date Index] [Thread Index] [Author Index] [Subject Index] [List Home Page] [HREA Home Page]