State
Surveillance, Citizens’ Civil Rights and Cyber Crime Indian Information Technology Act-2000 in Retrospect RAVI
KUMAR DHAR Department of Journalism, Languages & Culture, Punjab
Agricultural University, LUDHIANA-141004, INDIA Email: ravik1_in@yahoo.com Mankind’s evolution from lyrics to technics, from lithography to laser printing, from communication through signs and symbols to the printed word and lately the Internet has been the result of many a Copernican revolutions in the realm of human thought. It would, therefore, be no exaggeration to say that the year 1969 marks a watershed in the history of the media when the Age of the Internet started rendering the Age of Guttenberg obsolete. What began in the USA in 1969 as a military network of 40 computers connected by a web of links and lines, called the Advanced Research Projects Agency Network (ARPANET), grew by 1994 to a global network of 3.2 million computers and by 1995 to 12.6 million computers; the figure for the year 2000, as estimated by International Data Corporation (IDC), being a stupendous 233.3 million devices approximately. IDC also estimates that approximately 163 million individuals or entities will use the Internet by the year 2000 as opposed to16.1 million in 1995. Also, the number of data packets, which flowed through the Internet, increased from 153 million in 1988 to 60,587 million in 1994. Besides, emerging from a four node experimental network in the late 1960s, the Internet has, to date, linked up the globe through over 50 million nodes and 150 million users in about 200 countries. As a global network of computers, the Internet1 holds out the promise of obliterating social, political, administrative and economic distortions by bridging the gap of information between the advanced and the developing countries at the international level and the elite and the marginalized at the national level. But, this is only one side of the coin. As a mass medium used by more than 200 million people the world over, the Internet has thrown up a number of policy problems ranging from online privacy to cyber security, Internet pornography, and online piracy of copyrighted material, a fact acknowledged in the Report of the U.S. President’s Working Group on Unlawful Conduct on the Internet: Unlawful conduct on the Internet is just as intolerable as any other type of illegal activity. Ensuring the safety and security of those who use the Internet is thus a critical element of the Administration’s overall policy regarding the Internet and electronic commerce, a policy that seeks to promote private sector leadership, technology-neutral laws and regulations, and an appreciation of the Internet as an important medium for commerce and communication both domestically and internationally.2 In India, the Internet was launched in the 49th year of independence. Since then, there has been no looking back. With its widespread use in business, administration, education, infotainment and interpersonal relations, the need was felt for regulating it. Though India has a written Constitution and a comprehensively written legal system, the existing laws in India were not amenable to interpretation in the light of the emerging cyberspace as all of them were related to the political, social, economic and cultural scenario of the pre-cyberspace age. Also, none of these laws gave any legal validity or sanction to the activities in cyberspace. Moreover, the concern for legal validation of e-commerce and e-governance demanded that cyber laws be enacted. This gave birth to the Indian Information Technology Act-2000. As the Internet is a global medium, it would be appropriate to examine this Act in the context of the history of cyber law legislation in the world. Computer crime legislation dates back to 1977 when, for the first time, a comprehensive Federal Bill was introduced in the US Congress. Though the bill wasn’t adopted, yet it helped create awareness about the need for cyber regulations. By the late 1980s, most of the U.S. states had something called computer laws. The U.S. Congress too had enacted a federal statute making it a felony to interfere with computer systems [Title 18 U.S.C. Section 1030(a) (5)]. Robert Morris, a young computer science student, was tried under this law for hacking3. In the same year, the High Tech Subgroup of the G-8’s Senior Experts on Transnational Organized Crime developed ten principles and a plan of action to combat computer crime. In 1983, the Organization for Economic Cooperation and Development (OECD) in Paris appointed an expert committee to discuss computer related crime and the need for changes in Penal Codes of member countries. Again, in 1989, the Council of Europe (COE) appointed an expert committee. It’s Recommendation No. R (89) 9, adopted by the COE on Sept 13, 1989, contains a list of offences that require a uniform criminal policy. The subject of computer crime legislation also came up for discussion in 1990 at the 13th Congress of the International Academy of Comparative Law in Montreal and at the UN’s 8th Congress on Crime held in Havana. The subject was discussed yet again at a conference in Wurzburg, Germany in 1992. Three years later, on Sept 11, 1995, the COE accepted another recommendation concerning problems of procedural law related to information technology and introduced ‘IT offences’. The year 1996 marked a time when local authorities and national governments learnt of undesirable cyber activities that transgressed local laws4. Many nations like Germany, Saudi Arabia and China, took steps either to block access of their citizens/subjects to the Internet altogether or to crack down on the offenders. The U.S. Congress passed the legislation, Communications Decency Act of 1996, purporting to curb obscenity and indecency on the Net. In October 1999, the G-8 countries adopted principles of trans-border access to stored computer data. On Dec.6-7, Stanford University, Hoover Institution in California organized a conference on International Cooperation to Combat Cyber Crime and Terrorism. The international law enforcement agencies too held a series of seminars on the subject. In 1981, Interpol held its first Training Seminar for Investigators of computer crime. In 1995, it held the first International Conference on Computer Crime and others in May 1996, Sept 1998, and Dec 2000. As far as the subjects of concern go, the first legal concerns on the electronic frontier were related to security. In view of the virtual character of the Net, it was difficult to define criminal behaviour on the Net? Could computer files be considered ‘property’ for the purposes of theft in existing laws? Could the essential elements of traditional ‘takings’ take place if intangible bits and bytes of data were ‘stolen’ by copying, but left the original owners in possession of what already belonged to them? 5 Another matter of concern has been the unique character of cyberspace. As Benjamin Wittes has remarked: Suppose you wanted to witness the birth and development of a legal system. You would need a large complex system that lies outside of all other legal authorities. Moreover, you would need that system somehow to accelerate the seemingly millennial progress of legal development, so you would witness more than a mere moment of the process. The hypothetical system might seem like a social scientist’s fantasy, but it actually exists. It’s called the Internet.6 In a somewhat similar strain, Ann Well Branscomb maintains: The Networld, where everybody can potentially be in more or less constant communication with everyone else, attracts new behaviour and new ways of thinking. This capability is a unique development unlike anything previously experienced. As a consequence, the law and lawyers confront new challenges. As they seek to save their clients they should keep in mind that they are also architects of a legal system that must serve the larger interests of global communities as well as the interests of sovereign nations.7 This exhortation clearly indicates the need for treading the path of regulating the Net with caution for the Networld is not only a new world in the making but also one which knocks down the false barriers of the real world. Applying national laws and regulations to a global medium such as this is, indeed, an onerous task. Furthermore, the Internet has grown so rapidly in the past because it has not been encumbered by regulations. Imposing restrictions on it at this stage could hinder investment and impede the growth of this fantastic medium. A way out, as suggested by Michael Nelson8, could be for governments to turn to the private sector and challenge it to find nongovernmental and non-regulatory solutions to Internet policy problems. One example of this is the Internet Corporation for Assigned Names and Numbers (ICANN), an international non-profit organization created in 1998 to oversee allocation of Internet Domain names and Internet Protocol numbers. Given the wide range of concerns that the issue of regulating the Internet evokes, Mike Godwin rightly says in Freedom of Expression and Virtual Communities that: …coming to terms with the immense expressive power of the Net, and with legal and social issues that it generates, will be one of the central challenges of our generation. And it won’t be just the politicians, lawyers, activists and technicians who take up the challenge. It will be every one of us who explores this frontier, which is in one sense a medium and in another sense a territory.9 It is against the backdrop of this declaration that an attempt has been made here to analyze the relevant provisions of the Indian Information Technology Act-2000 (ITA-2000) in retrospect with the following specific objectives: a. to evaluate the extent and manner of State surveillance envisaged in it, b. to study its impact on: i. the infringement of citizens’ civil rights, ii. control of cyber crime, and iii. the flow of objectionable matter on the Internet. The ITA-2000 came into effect on October 17, 2000 after it received the Presidential assent on June 9, 2000. Running into thirteen chapters and combining the provisions of both the substantive and procedural law, the Act seeks to put in place a system of checks and balances to regulate the Net and to secure its use by individuals and organizations. The Act has provisions that embrace the laws of cyber contracts, cyber crimes, virtual properties, and laws on intellectual property rights in cyberspace and netizens’ rights. For the first time in the history of Indian law, electronic documents and digital signatures have been accorded legal status, though documents like negotiable instruments, wills, trust deeds, powers of attorney and any contract relating to conveyance of immovable property still remain legally unrecognized. The Act entails the setting up of a Cyber Regulations Advisory Committee which would advise the government on the regulations required to facilitate the advancement of Information Technology in India, indicating the openness to suggestions for change in IT regulations. It also envisages the establishment of a dispute resolution mechanism, which includes Adjudicating officers and Cyber Regulations Appellate Tribunal (CRAT) leading on to the Supreme Court. Despite all these seemingly forward looking provisions, the Act has come in for criticism from various quarters on various counts. Naavi10 at the National Seminar on Copyrights held at Kottayam, Kerala from February 16-18, 2001 has come down heavily on the Act for its procedural failings. The position of the Adjudicating Officer envisaged under the Act is ad-hoc and can be invoked by the government only. So, it will not be of any use to the common netizen who will be obliged to seek redress of grievances from the normal courts. Besides, the Act does not provide for online filing of cases or for online court proceedings, which could expedite the settlement of cases. Also, the composition of CRAT leaves much to be desired. CRAT has been made a one-member tribunal and the person appointed will be only from the judiciary. This could prove problematic in deciding techno-legal cases. Similarly, a memorandum submitted to the Ministry of Information Technology (MIT) by the Netizens’ Forum for Credible Cyber Regulations (NFCCR)11 finds flaws in the constitution of the Cyber Regulations Advisory Committee (CRAC), the strangulating administrative control of the Controller of Certifying Authorities on the routine functioning of the certifying authorities provided for in the Act, fixing of too short an initial licensing period for the certifying authorities to set up shop, non-recognition of foreign certifying authorities, contradiction between the Act and the draft rules framed under it in respect of the eligibility of certifying authorities, lack of proportion in the penalties specified for various offences and the misplacement of section 163 related to the compounding of contraventions in chapter X instead of chapter XI. These commentators merely touch upon the issues of State surveillance, citizens’ civil rights and cyber crime. NFCCR’s memo12 to MIT finds fault with the definition of hacking and computer source documents, and with the conferring of the status of deemed public servants on the officials of CRAT under section 21 of the Indian Penal Code. It argues that it is not clear if that is sufficient to bring them under the provisions of the Prevention of Corruption Act. Besides, section 84 of the Act grants them immunity for actions carried out in good faith. It wants the Controller, Adjudicating Officers, and members of CRAT to be deemed public servants under the provisions of the Prevention of Corruption Act and be made subject to the supervision of the Chief Vigilance Commissioner (CVC), along with the deletion of section 84. M/s Pramila Nesargi and Associates13, practicing advocates in Bangalore, India, are critical of the rules framed under the Act for being against national interests. Rule 3 (i) (b) requires that the procedure for generation of the public and private key be specified in the application for the grant of license. If this is done, it will enable any hacker or cyber criminal to understand the procedure and decrypt the keys. This will render the whole concept of security and secrecy of the process of key generation void and, therefore, ineffective. Besides, Rule 19 (vi) provides that the encryption technique has to be approved by the Controller. ‘This’, they argue, ‘will defeat the very purpose of having a secret encryption technique or else any one can break into the public key or private key using the technique set out for encryption. Apart from these remarks, there seems to be no detailed study of the Act with reference to state surveillance, citizens’ civil rights and cyber crime. This calls for a focused attention on these issues as affected by the Act. But, before one may attempt an analysis of the Act, it would be essential to examine the concepts underlying these terms and the relationships they are supposed to bear to each other. While State surveillance obviously relates to the role of the State, civil rights and cyber crime relate to the active functioning of the individual. Again, of the last two, while civil rights relate to the affirmative function of an individual’s survival as a human being, cyber crime relates to the negative role of an aberrant individual. To begin with the terms related to the individual, civil rights themselves are not a homogeneous group of rights14. These embrace rights as diverse as the rights to life, liberty, free speech, movement, political thought and religious practice, a fair trial, privacy, to found a family and to vote. In view of the heterogeneity of these rights, contradictions are bound to arise. This makes the protection of civil rights a little difficult task. However, as it has been rightly observed: In their intimacy, however, rights can and do conflict…. Such conflict, however, does not negate the importance of any of these rights, rather it requires that accommodation be made in their collective application in any set of circumstances. Their competing demands, in other words, must be weighed up against each other and a compromise reached. This is the challenge of human rights, not their refutation.15 Accommodation calls for a system of checks and balances so that the guarantee of one civil right does not affect the protection of another. In reference to the cyber world, it implies working out a relationship of accommodation between freedom of expression, on the one hand, and right to life and to privacy, on the other. Guaranteed by Article 19 of the Universal Declaration of Human Rights (UDHR) 16, the first is a proactive right that without reasonable restrictions can swamp and threaten the last two. The Indian position on this is clear. India guarantees to its citizens certain fundamental rights as specified in Part III of its written Constitution. Article 19 (1) (a) of Part III of the Indian Constitution reads as follows: “19. (1). All citizens shall have the right – (a) to freedom of speech and expression; (2). Nothing in sub-clause (a) of clause (1) shall affect the operation of any existing law, or prevent the State from making any law, in so far as such law imposes reasonable restrictions on the exercise of the right conferred by the said sub-clause in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence.”17 As citizenship under the Indian Constitution is confined to natural persons, so neither an alien nor a company, even though incorporated in India, is entitled to complain of any restriction on the right to freedom of expression. A person who suffers from an infringement of this right by a law or an order may apply for its restitution to the Supreme Court under Article 32 or to a High Court (having territorial jurisdiction) under Article 226 of the Indian Constitution. However, as Justice Durga Dass Basu rightly comments: …liberty, in an orderly society, cannot mean license, and that is why no individual right, even if guaranteed by the Constitution, in absolute terms, can be absolute. Rights are dependent upon the existence of the State and the maintenance of order so that the rights may be ensured and enforced. Hence, no right or freedom can be allowed to be exercised in such manner as would jeopardize the very existence of the State or the maintenance of public order, or undermine public morality, or a fair and impartial administration of justice, which are essential for a civilized existence. Again, since a pre-condition of the enforcement of individual rights is that the corresponding rights of other persons should be similarly safeguarded, the freedom of expression cannot be so exercised as to undermine the reputation of any member of the public.18 The reasonable restrictions as mentioned in clause (2) are similar to those mentioned in Article 10 (2) of the European Convention on Human Rights, 1950 which states: “The exercise of these freedoms, since it carries with it duties and responsibilities, may be subject to such formalities, conditions, restrictions or penalties as are prescribed by law and are necessary in a democratic society, in the interests of national security, territorial integrity or public safety, for the prevention of disorder or crime, for the protection of the reputation or rights of others, for preventing the disclosure of information received in confidence, or for maintaining the authority and impartiality of the judiciary.”19 This brings us to the competing interest of the right to privacy. As the Indian Constitution does not refer to it expressly, we turn here to internationally accepted covenants on the subject. But first its definition. Alan F. Westin20 defines it as: ‘ the desire of people to choose freely under what circumstances and to what extent they will expose themselves, their attitude and their behaviour to others.’ As this definition is quite comprehensive, it combines the four facets of privacy: information privacy, bodily privacy, privacy of communication and territorial privacy spoken of by Global Internet Liberty Campaign (GILC)21. Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms, Article 12 of the Universal Declaration of Human Rights and Article 17 of the International Covenant on Civil and Political Rights expressly uphold the right of the individual to privacy and to freedom from ‘arbitrary interference’ with this right22. However, just as freedom of expression needs to have ‘reasonable restrictions’, so does privacy. Prof Gregory J. Walters rightly avers that human rights guarantees cannot be absolute23. Section 1 of the Charter [of Civil and Political Rights] guarantees rights and freedoms ‘only to such reasonable limits prescribed by law as can be demonstrably justified in a free and democratic society.’ These reasonable limits relate to ‘interests such as national security or public safety’24. This brings in the question of State surveillance. Premised on a long list of needs such as protection of children from exposure to sexual or violent material, prevention of the exploitation of children in the production of child pornography, defense of national or commercial security, protection of governments, corporations and religions, and limiting exposure of native cultures to supposedly harmful influences of alien cultures25, State surveillance on the Internet can result in severe infringement of civil rights. Besides, as Justice Michael Kirby has remarked, ‘It is fifty years since the Universal Declaration of Human Rights was adopted. In that half century, a paradox has emerged. Governments and other political entities need protections themselves lest, as a result of modern technology, they, and the citizens and the residents in their jurisdictions, lose rights hitherto regarded as fundamental or at least very important for humanity’s well being and peaceful governance.’26 This brings to the fore the conflict between the rights of the individual and the interests of the community. As Dinah Pokempner observes: ‘…rights submerge the values of community, obscure the moral responsibility and alienate persons. Community, on the other hand, connotes common interests and cooperation, mutual sympathy, and fellow feeling that ranges from one’s family through one’s ethnic and other groups to the nation state.’27 However, going with Alan Gewirth’s theory of human rights28, she asserts that such an ‘adversarial view of rights and community is profoundly wrong.’29 In fact, as Prof Gregory J. Walters maintains: ‘ Human rights require community for their implementation, while community requires human rights as the basis of its morally justified economic, political and social operations and enactments.’30 Bearing in mind the mutual interdependence of rights and the community, we may accept Alan Gewirth’s Principle of Generic Consistency (PGC) which states that ‘Act in accord with the generic rights of your recipients as well as yourself.’31 >From the PGC, Dinah Pokempner derives the criterion of the degree of usefulness for action as a basis for the resolution of the conflict of rights as well. She observes: ‘ The “criterion of degree of usefulness for action” states that when two rights conflict with one another, that right takes precedence whose object is more needed for action. Thus rights not to be stolen from or lied to are overridden by the rights not to starve or be murdered if the latter rights can be fulfilled only by infringing the former.’32 How does this translate into the highly atomistic and private world of cyberspace? Cyber in the true sense of the word, the Networld is so to speak an extension of an individual’s mental world as long as its actions don’t spill over into the real world. Until that transgression occurs, putting it under blanket State surveillance would be like censoring the thought processes of individuals. A highly preposterous proposition indeed! Indian
Information Technology Act-2000 In the context of the preceding discussion, the present study is an attempt to critically examine the relevant provisions of ITA-200033. The thirteen chapters of the Act have ninety-four sections. Of these, seven relate to State surveillance, seven again to cyber crime and one to the flow of obscene material on the Net. The other sections are procedural and administrative in nature. This is not unexpected, as the Act has been expressly enacted ‘to give effect to the said resolution [resolution A/Res/51/162 dated 30th January 1997 of the United Nations General Assembly on the adoption of the Model Law on Electronic Commerce adopted earlier by the United Nations Commission on International Trade Law] and to promote efficient delivery of Government services by means of reliable electronic records’ and ‘to provide legal recognition for transactions carried out by means of electronic data interchange and other means of electronic communication, commonly referred to as “electronic commerce”. Thus, the primary objective of ITA-2000 has been other than controlling the Net and trespassing on the privacy of Indian netizens. The seven sections related to cyber crime and the one to the flow of obscene material on the Net deal with what could be regarded as the malady that State Surveillance seeks to fight as a cure. The
Malady: Cyber Crime and Obscenity on the Net Of the seven sections related to cyber crime, section 43 in Chapter IX, titled ‘Penalties and Adjudication’, lists the instances in which a person shall be deemed to have contravened this Act and become liable to pay damages to the affected party. These instances relate not only to unauthorized access but also to damage to a computer/computer system, denial of access, and wrongful charging of services. The section reads: “
(43). Penalty for damage to computer, computer system, etc. If any person without permission of the owner or any other person who is incharge of a computer, computer system or computer network, --- (a) accesses or secures access to such computer, computer system, or computer network. (b) downloads, copies or extracts any data, computer data base or information from such computer, computer system or computer network including information or data held or stored in any removable storage medium; (c) introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or computer network; (d) damages or causes to be damaged any computer, computer system or computer network, data, computer data base or any other programmes residing in such computer, computer system or computer network; (e) disrupts or causes disruption of any computer, computer system or computer network; (f) denies or causes the denial of access to any person authorized to access any computer, computer system or computer network by any means; (g) provides any assistance to any person to facilitate access to any computer, computer system or computer network in contravention of the provisions of this Act, rules or regulations made thereunder, (h) charges the services availed of by a person to the account of another person by tampering with or manipulating any computer, computer system, computer network, he shall be liable to pay damages by way of compensation not exceeding one crore rupees to the person so affected.” With more and still more people going online, about 2 million according to one estimate, the need for such a section can hardly be overemphasized. The civil rights of online users have to be protected against intrusions from cyber criminals and the section does well to list instances of this kind for penalization. However, the section is silent on the menace of spamming, especially on cell phones where it is not even possible to locate the IP address of the source. Section 65 deals with the preservation of computer source code. The section reads: “(65).
Tampering with computer source documents Whoever knowingly or intentionally conceals, destroys or alters or intentionally or knowingly causes another to conceal, destroy or alter any computer source code used for a computer, computer programme, computer system or computer network, when the computer source code is required to be kept or maintained by law for the time being in force, shall be punishable with imprisonment up to three years, or with fine which may extend up to two lakh rupees, or with both.” Thus, it is clear that the section considers a person who himself or through someone else tampers with a computer source code required to be kept by law guilty of an offence against the State. The preservation of such a code would be essential for the law enforcement agencies to access the information protected by it. In the case of its destruction, concealment or alteration, it would be difficult for them to access information required in a legal case. Section 66 seeks to stub out the growing menace of hacking, which by playing havoc with Web sites directly interferes with the citizens’ right to freedom of expression on the Net. The section reads: “(66).
Hacking with computer system (1) Whoever with intent to cause or knowing that he is likely to cause wrongful loss or damage to the public or any person destroys or deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means, commits hacking. (2) Whoever commits hacking shall be punished with the imprisonment after three years or with fine which may extend up to rupees two lakh or with both. But, the section seems to be a repeat of section 43 (d), which too deals with the same crime and as such is redundant. Besides, as some legal experts have pointed out, the definition of hacking given here is much too restrictive. Section 73 relates to the offence of the publication of digital signature certificates false in certain respects. The section reads: “(73).
Penalty for publishing Digital Signature Certificate false in certain
particulars (1) No person shall publish a Digital Signature Certificate or otherwise make it available to any other person with the knowledge that – (a) the Certifying Authority listed in the certificate has not issued it; or (b) the subscriber listed in the certificate has not accepted it; or (c) the certificate has been revoked or suspended, unless such publication is for the purpose of verifying a digital signature created prior to such suspension or revocation. (2) Any person who contravenes the provisions of sub-section (1) shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both.” As the Act purports to make e-commerce safe and secure, this section ensures that digital signature certificates, which are poised to play a prominent role in facilitating e-commerce, are not published false in certain particulars, obviously with the intent to defraud. Section 74 deals with the misuse of digital signature certificates ‘for any fraudulent or unlawful purpose’ and stipulates punishment with ‘imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both’. Section 75 takes care of offences emanating outside the political and juridical boundaries of India. It reads: “(75).
Act to apply for offense or contraventions committed outside India. (1) Subject to the provisions of sub-section (2), the provisions of this Act shall apply also to any offence or contravention committed outside India by any person irrespective of his nationality. (2) For the purposes of sub-section (1), this Act shall apply to an offence or contravention committed outside India by any person if the act or conduct constituting the offence or contravention involves a computer, computer system or computer network located in India.” This section was very much called for keeping in mind the global nature of the Internet and the rising trend of remote controlled hacking of important Indian business, infrastructural, and defence computer systems. In fact, hacking has become one of the components of the modern cyber war unleashed not only by governments but also by independent renegade groups. Section 79 exonerates an Internet Service Providers (ISPs) of the responsibility of offences or crimes committed on the Net ‘if he proves that the offence or contravention was committed without his knowledge or that he had exercised all due diligence to prevent the commission of such offence or contravention.’ This is welcome legislation, as it would disencumber ISPs of the responsibility of policing the Net. At the same time, it burdens the ISPs with the onus of proving their innocence. This implies that any State official not seeing eye to eye with them can drag them into a long drawn legal battle, which could be exhausting both psychologically as well as financially for the concerned ISP. In this regard, it could be restrictive for the growth of the Internet connectivity in the country. Section 67 is the lone provision in the Act on the flow of obscene material on the Net. The section reads: “(67)
Publishing of information which is obscene in electronic form Whoever publishes or transmits or causes to be published in the electronic form, any material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to deprave and corrupt persons who are likely, having regard to all relevant circumstances, to read, see or hear the matter contained or embodied in it, shall be punished on first conviction with imprisonment of either description for a term which may extend to five years and with fine which may extend to one lakh rupees and in the event of a second or subsequent conviction with imprisonment of either decription for a term which may extend to ten years and also with fine which may extend to two lakh rupees.” A comparison of this section with sections 292-293 of the Indian Penal Code, 1860 reveals some remarkable omissions and commissions, besides its phraseology having been bodily lifted from the latter. Clause (a), sub-section (2) of section 292 of IPC reads: “(2) Whoever- (a) sells, lets to hire, distributes, publicly exhibits or in any manner puts into circulation, or for purposes of sale, hire, distribution, public exhibition or circulation, makes, produces or has in his possession any obscene book, pamphlet, paper, drawing, painting, representation or figure or any other obscene object whatsoever, or”(my italics) It is clear from this clause that the IPC makes even the possession of obscene material an offence while the ITA-2000 doesn’t refer to it at all. Again, the exception appended to section 292 of IPC excludes certain categories of material from being classed as obscene. The exception reads: “Exception—This section does not extend to— (a) any book, pamphlet, paper, writing, drawing, painting, representation or figure— (i) the publication of which is proved to be justified as being for the public good on the ground that such book, pamphlet, paper, writing, drawing, painting, representation or figure is in the interest of science, literature, art of learning or other objects of general concern, or (ii) which is kept or used bona fide for religious purposes;…” Section 67 of the ITA-2000 makes no mention of such exceptions and thus makes even these categories of publications subject to penalty. Even in the case of those publications which don’t fall in the list mentioned in the ‘Exception’, section 292 of IPC makes it clear that that the charge of obscenity will be brought only ‘if taken as a whole’, that publication or material appeals to prurient interest. In other words, the section asks for a comprehensive assessment of the material and not piece-meal. Section 67 significantly excludes this phrase, implying that a charge of obscenity can be brought even if a part of the material appears to be lascivious. The Indian Penal Code, 1860, has a separate section for the circulation of obscene material among minors. Section 293 of the IPC states that ‘Whoever sells, lets to hire, distributes, exhibits or circulates to any person under the age of twenty years any such obscene object as is referred to in the last preceding section, or offers or attempts so to do, shall be punished…’ With the Internet becoming home to many instances of child abuse either by the exploitation of children in the production of sexually explicit material or by immoral overtures in online chat rooms, lawmakers the world over have been worried about how best to control it. The framers of the ITA-2000 are enigmatically silent over it. On the one hand, the Act comes down heavily on all categories of obscene material indiscriminately and on the other, fails to take even note of child abuse on the Net. It would be pertinent to mention here that section 81 of the Act simultaneously stipulates: ‘ The provisions of this Act shall have effect notwithstanding anything inconsistent therewith contained in any other law or the time being in force.’ Thus, the exception mentioned in section 292 cannot be invoked in a charge brought under section 67 of ITA-2000. The
Cure: State Surveillance The sections under this category relate to State surveillance and may be considered as the proactive cures to the maladies discussed earlier. Section 29, ChapterVI, authorizes the State to access any computer/computer system in the case of suspicion about its being used for violation of any of the provisions of this Act. The section reads: “(29).
Access to computer and data (1) Without prejudice to the provisions of sub-section (2) of section 68, the controller or any other person authorized by him shall, if he has reasonable cause to suspect that any contravention of the provisions of this Act, rules or regulations made thereunder has been committed, have access to any computer system, any apparatus, data or other material connected with such system, for the purpose of searching or causing a search to be made for obtaining any information or data contained in or available to such computer system. (2) For the purposes of this sub-section (1), the Controller or any person authorized by him may, by order, direct any person incharge of, or otherwise concerned with the operation of, the computer system, data apparatus or material, to provide him with such reasonable technical and other assistant…as he may consider necessary.” A close reading of this section shows emphasis on two things: ‘reasonable cause to suspect’ and the use of ‘any’ with ‘computer system’, ‘apparatus’, ‘other material’ and ‘information or data’. The section purports to empower the Controller to access any information or data from any computer system or apparatus, if he has ‘reasonable cause to suspect’ that ‘any contravention of the provisions of this Act, rules or regulations made thereunder’ has taken place. On the face of it, it seems to be quite innocuous and meant to deter violations and to bring the guilty to book. But, the reality and its fallout in implementation seem to be otherwise. To uncover it, one needs to read this section with section 17 sub-sections (1) and (2) and section 28 sub-section (2) of the same chapter. Section 17 sub-sections (1) and (2) makes it clear that the Controller will be an officer of the Central Government and thus a part of the executive arm of the State. Bearing in mind the possibility of the misuse of the executive by the political party in power, this provision could be used to invade the privacy of individuals inconvenient and irksome to the government. At the same time, the State can easily escape judicial censure for such acts of intrusion by taking umbrage under the highly subjective phrase ‘if he [the Controller] has reasonable cause to suspect’. Besides, when section 28 (2) of the ITA-2000 likens the Controller to Income Tax authorities under Chapter XIII of the Income Tax Act, it shows poor appreciation of the nature of the Internet/cyberspace. Such intrusions might be all right as far as restricting financial irregularities are concerned. But, when the section permits the Controller to obtain any information or data, it places the privacy of netizens at the mercy of an official who might be more than willing to oblige his political masters in power. Also, the provision could be misused on personal grounds as, it has been rightly said, power corrupts and absolute power corrupts absolutely. Had the right to access been tempered with judicial authority, it would have taken the sting out of this section. But, in its present form, the section is heavily loaded in favour of the State. Section 69 prescribes the restrictions on the civil rights of Internet users and mentions the actions that the State can take in such cases. Sub-section (1) of section 69 reads: “(69)
Directions of Controller to a subscriber to extend facilities to decrypt
information (1) If the Controller is satisfied that it is necessary or expedient so to do in the interest of the sovereignty or integrity of India, the security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence, for reasons to be recorded in writing, by order, direct any agency of the Government to intercept any information transmitted through any computer resource.” As far as the restrictions are concerned there is nothing new in them. These have been mentioned in Article 19(2) of the Indian Constitution in the form of restrictions on the exercise of the right to freedom of expression. However, there is a difference between the restrictions mentioned in the Constitution and those mentioned here. In the Constitution, ‘decency or morality’ has been stated as one of the restrictions but here it doesn’t find any mention. The deletion is worth taking note of and shows the lack of concern, as has already been seen in the discussion on cyber crime, for the possible misuse of the new media for child abuse through the flow of indecent and immoral matter on the Internet. In the event of the violation of the restrictions specified here, the Controller has been empowered to ‘intercept’ any communication on the Net. The Oxford Advanced Learner’s Dictionary of Current English defines the word ‘intercept’ as ‘stop or catch (sb traveling or sth in motion) before he or it can reach a destination’34. Interception of cyber communication, therefore, could be construed as surveillance over a period of time without the knowledge of the person concerned. This is a grave infringement of the civil rights of citizens especially as it is hinged on the arbitrary powers of the Controller (“If the Controller is satisfied…”). M/s Pramila Nesargi and Associates, practicing advocates in Bangalore, India, have rightly drawn attention to this fact while observing: ‘The Controller has been conferred with wide discretionary and arbitrary powers. Most of the powers and functions exercised by the Controller have been left to the ‘satisfaction’ of the Controller. No guidelines, checks or balances have been provided to determine the ‘satisfaction’ of the Controller.’35 It seems that while framing the Act, the government has not looked upon ‘computer system’ as a new kind of media which needs as much protection as any other traditional media does. If it had, it wouldn’t have exposed the privacy of online users to the whims of a government official. Here, it would not be out of place to mention that State surveillance is practically negligible in the other forms of traditional media. In fact, the traditional media vigorously resists a priori restrictions. Even where the media, particularly the print media, transgresses its limitations, it is the quasi-judicial Press Council of India that looks into the matter. Such a harsh and arbitrary measure is, therefore, directed at stifling the growth of this nascent media in the country and restricting the civil rights of citizens. Apart from interception, sub-section (2) of section 69 invokes decryption of information residing in a computer system. The section says: “ The subscriber or any person in charge of the computer resource shall, when called upon by any agency which has been directed under sub-section (1), extend all facilities and technical assistance to decrypt the information.” And, as per sub-section (3), if he ‘fails to assist the agency referred to in sub-section (2) [he] shall be punished with an imprisonment for a term which may extend to seven years.’ This clearly places the individual in a disadvantageous position vis-à-vis the might of the State, especially when the whole exercise is dependent on the subjective decision of a government official. However, the Act makes a token compensation for the violation of privacy through acts of surveillance permitted by the preceding sections, when it declares through section 72 that: “(72)-
Breach of confidentiality and privacy Save as otherwise provided in this Act or any other law for the time being in force, any person who, in pursuant of any of the powers conferred under this Act, rules or regulations made thereunder, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses such electronic record, book, register, correspondence, information, document or other material to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both.” The penalty mentioned here is two years whereas that in section 69 sub-section (3) is seven years. Here, the person is confirmed to be guilty of violation of privacy whereas in section 69 sub-sections (2) and (3), the person has not yet been proved to be guilty but only suspected of being so. Besides, the person concerned here is an official who has obtained the information by misusing the position of responsibility (s) he occupies and betraying the trust that the State and the society have reposed in him/her. This lack of proportion in the penalties only goes to show that the government is not very sensitive to the privacy concerns of its citizens. Section 76 empowers the State to confiscate ‘Any computer, computer system, floppies, compact disks, tape drives or any other accessories related thereto, in respect of which any provision of this Act, rules, orders or regulations made thereunder has been or is being contravened’. But the proviso included in the section makes it clear that the confiscation shall have to be adjudicated by a court and not by an executive fiat. That should prevent any misuse of the power granted by this section. Here, it may be pertinent to mention that the judiciary in India commands far more trust and respect than the executive does. In fact, of late India has been undergoing a phase of judicial activism to clean up the muck created by the executive and the legislature. Again, paragraph 2 of the section makes a distinction between the liability of ‘the person in whose possession, power or control…any such computer, computer system, floppies, computer disks, tape drives or any other accessories relating thereto is found [but is] not responsible for the contravention of the provisions of this Act, rules, orders or regulations made thereunder’ and the person who is responsible. It empowers the court to ‘make such other order authorized by this Act against the person contravening the provisions of this Act, rules, orders or regulations made thereunder as it may think fit’ ‘instead of making an order for confiscation of such computer, computer system, floppies, compact disks, tape drives or any other accessories related thereto’. This is indeed a relief to the person who is merely in possession of the computer/computer system but is not responsible for the contravention of the provisions of this Act. Also, it is a safeguard against State intrusion into his computer/computer system. Section 78 seeks to vest the power of investigation of offences falling under this Act in a police officer not below the rank of Deputy Superintendent of Police (DSP). As per administrative practice, the police in India is subject to the authority of civil administration and the two together are subject to judicial intervention and review. Despite this, there are innumerable instances where the police itself breaks the rules it is expected to protect. At times, there are allegations of custodial deaths or fake encounters. Only recently, a Division Bench of Allahabad High Court has come down heavily on cops committing crimes ‘in the name of encounter’. The worthy Court has termed such fake encounters as murders and questioned the right of the police to commit murder on the pretext of protecting the law36. Given the poor track record of the police in the observance of human rights, the framers of the Act might have thought it fit not to entrust the investigations to officials below the rank of a DSP. Though the intention is laudable, it may still not yield the desired result as the rot in the police force is too deep to leave even a DSP untouched. Besides, many DSPs rise from the ranks and can hardly be expected to be sensitive to the civil rights of citizens. Section 80, Chapter XIII empowers ‘any police officer, not below the rank of a Deputy Superintendent of Police, or any other officer of the Central Government in this behalf…[to] enter any public place and search and arrest without warrant any person found therein who is reasonably suspected of having committed or of committing or of being about to commit any offence under this Act.’ Though the section applies only to a public place, it does not in any way dilute the civil rights of those using computers in such a place. In a developing country like India, where the digital divide is accentuated by the deep economic fault line between the rich and the poor, the only way in which the benefits of Information Technology (IT) can reach the masses is through public IT kiosks. By allowing the police or other central /state government agencies to enter, search and make arrests, that too without warrant, the Act will discourage the growth of such kiosks and thereby deprive the masses of the benefits of IT. Besides, this section doesn’t speak of only offences committed or of offences being committed but also of those about to be committed. Empowered with such extraordinary powers, insincere and corrupt police officials can only misuse these to harass citizens not in their good books. This makes the power vested with the State completely arbitrary and limitless. Computer systems could, therefore, be legally broken into and persons using those taken into custody on the pretext of the possibility of their misuse by the persons arrested. This would amount to a flagrant violation of civil rights of citizens and that too with the nod of the law. Section 84 drives the final nail in the coffin. This section grants immunity to State officials against prosecution for actions taken in good faith under the provisions of this Act. The section reads: “(84) Protection of action taken in good faith No
suit, prosecution or other legal proceeding shall lie against the Central
Government, the State Government, the Controller or any person acting
on behalf of him, the Presiding Officer, adjudicating officers and the
staff of the Cyber Appellate Tribunal for anything which is in good faith
done or intended to be done in pursuance of this Act or any rule, regulation
or order made thereunder.” The section offers an escape route to all those officials who misuse their authority by taking the plea of action taken either in good faith or in pursuance of this Act. Thus, the State can pry into the privacy of its citizens with impunity. Also, this section will embolden State officials to misuse the limitless powers granted to them under sections 69 and 80. Conclusion The preceding discussion shows that the balance between the rights of the individual on the one hand, and those of State surveillance, on the other, is heavily tilted in the provisions of this Act in favour of the latter. The malady of cyber crime that the State seeks to cure through surveillance of the Net looks akin to the proverbial treatment of throwing the baby with the bathtub. If IT has to grow and serve the cause of development in India, it shall have to be unshackled from such restrictive regulations as have been enforced here. Unfortunately, there has been little resistance to these retrogressive provisions in the country as such issues scarcely evoke even a murmur of protest in India. Besides, IT is still the rich man’s tool in India and he is bothered only if something hits his profits margins. So, if IT has to advance as a medium of communication and as an engine of growth in India, a review of the provisions relating to State surveillance, cyber crime and the flow of objectionable matter on the Net is urgently required. (Thanks are due to Prof. K.S.Gill and Ms. Sheetal Thapar, Dept. of Journalism, Langs. & Culture, Punjab Agril. University, for their comments and help in the improvement of the paper.) Notes 1. But, the Internet we use today is not the same as at the time of its inception. To begin with, it was conceived as a computer bulletin-board system (BBS). The operator of a BBS would dedicate a computer and one or more phone lines for use by those calling up the BBS through their own computer and modem. They could either leave public messages for being read by all other users or send private mail. The BBS yielded place to the conferencing system or information service. Functionally similar to the BBS and different only in its capacity, it could serve hundreds of users simultaneously. Examples are America Online (AOL) and Whole Earth Lectronic Link (WELL). The distributed network came last in the series. It is not located in a particular area but maintained and supported on a large number of computers located all over the world. This is what has come to be called the Internet. 2.The Electronic Frontier: The Challenge of Unlawful Conduct Involving the Use of the Internet:A Report of the President’s Working Group on Unlawful Conduct on the Internet (March 9,2000) atURL:http://www.usdoj.gov/criminal/cybercrime/unlawful.htm. A May 1998 report from the Global Internet Project on GIP policy architecture also draws attention to the need for regulating the Internet. It lists the following six components of such architecture: · Infrastructure: for ensuring that the Internet is affordable, reliable and available over the world · Governance: for ensuring that the Internet works properly · Security: for taking necessary measures to protect the data and the systems on the Internet from malicious hackers, computer viruses, and other threats · Privacy: for taking steps to protect the privacy of Internet users · Content: for protecting children from obnoxious material on the Internet and protecting intellectual property over the Internet · Commerce: for transacting e-business, protecting e-customers and taxing e-commerce 3. Ann Wells Branscomb, Cyberspaces: Familiar Territory or Lawless Spaces available at URL:http://jcmc.huji.ac.il/vol2/Issue1/intro.html 4. ibid. 5. ibid. 6. ibid. (Originally published as Witnessing the Birth of a Legal System, The Connecticut Law Tribune, Supplement, Special Section: Technology, Feb. 27, 1995, p. 8A) 7. ibid. 8. URL:http://isoc.org/oti/articles/1000/nelson.html 9.URL: http://www.eff.org/pub/Misc/Publications/Mike_Godwin/ 11. URL:http://www.naavi.com/memorandum-final.html 12. ibid 13. URL:http://www.naavi.com/objections-pramila.html 14.URL: http://www.hroec.gov.au 15. ibid. 16.Article 19 of the Universal Declaration of Human Rights states, “Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media, and regardless of frontiers.” In a similar spirit, Article 19 of the International Covenant on Civil and Political Rights reads, “Everyone shall have the right to freedom of expression; this right shall include freedom to seek, receive, and impart information and ideas of all kinds, regardless of frontiers, either orally, in writing or in print, in the form of art, or through any other media of his choice.” Article 10 of the European Convention for the Protection of Human Rights and Fundamental Freedoms mentions similar safeguards, “Everyone has the right to freedom of expression. The right shall include freedom to hold opinions and to receive and impart information and ideas without interference by public authority and regardless of borders.” 17. Durga Das Basu, Law of the Press, (New Delhi: Prentice Hall of India Pvt. Ltd., 2nd edition: 1986), 1980, p.560 18. ibid., pp.65-66 19. ibid., p.66 20. URL: http://www.privacy international.org./survey/phr98 21. ibid. 22. Article 12 of the Universal Declaration of Human Rights maintains that “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.” According to Article 17 of the International Covenant on Civil and Political Rights, “No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.” Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms states, “Everyone has the right to respect for his private and family life, his home and his correspondence.” 23. URL: http://www.uottawa.ca/hrrec/infotech/intro.html 24. ibid. 25. URL: http://www.isoc.org/oti/articles/1000/barlow.html 26.URL: http://www.hcourt.gov.au/speeches/kirbyj/unesco1.htm 27. URL: http://www.uottawa.ca/hrrec/infotech/intro.html 28. ibid. 29. ibid. 30. ibid. 31. ibid. 32. ibid 33. In this article, all references to the IT Act,2000 are based on the version published at the URL: http://www.mit.gov.in/it-bill.htm 34.A.S.Hornby (ed.), Oxford Advanced Learner’s Dictionary (Chief Editor: A.P. Cowie, Fourth Edition, 1989, 2nd Impression, Calcutta:OUP, 1992), Oxford: OUP, 1948 35.URL: http://www.naavi.com/objections-pramila.html 36. Hindustan Times, Chandigarh Edition, April 12, 2001 |