Subramaniam Vutha*

In the third article of a series on the internet, Subramaniam Vutha discusses the new IT Act and its implications. We welcome readers' participation in this forum

The new Information Technology Act (available at www.mit.gov.in/it-bill.htm) has some interesting features and raises certain issues which we will discuss here. We also invite you to participate in this debate by sending us your thoughts, suggestions and questions.

The Information Technology Act 2000 provides:

• For legal recognition transactions carried out by means of electronic data interchange and other means of electronic communication, commonly referred to as "Electronic Commerce" which involves the use of alternatives to paper-based methods of communication and storage of information.
• For electronic filing of documents, with government agencies
• For delivery of government services by means of reliable electronic records

Issues

• Although e- commerce is based on information technology, the Act deals mainly with electronic commerce and electronic governance. Do you think the Act should be renamed as " The Electronic Commerce and Governance Act"? Would you suggest any other name?
• Do you think the current name could deter people from plunging into the provisions of the Act, as something too technological for easy comprehension?
• Or that the aspect of electronic governance merits emphasis and should be given more prominence?

Key exclusions

The Act excludes:

• Negotiable Instruments, namely cheques, promissory notes and bills of exchange
• Powers of attorney
• Trusts, as defined under Indian law
• Wills and other testamentary dispositions by whatever name called
• Contracts for sale or conveyance of immovable property or any interest in such property
• Any such class of documents or transactions, as may be notified by the government

These require special attestation and/or registration formalities, which, perhaps, explain their exclusion.

Issues

• What effect do you think the exclusion of negotiable instruments would have on financial transactions on the net?
• Just as several safeguards have been introduced over the years to facilitate commerce between parties separated by great distances or parties not well known to each other (for example, attestation, notarization, the use of financial and other intermediaries and agencies - such as banks and accreditation agencies; and instruments to secure payment such as letters of credit etc.) what equivalent safeguards would you recommend in the virtual economy for net transactions?
• Should the government have reserved the right to include some classes of documents or transactions just as they have done for "exclusions"?

Definitions

Certain definitions may create difficulties. For example:

• "Access" has been defined as gaining entry into, instructing or communicating with the logical, arithmetical or memory function resources of a computer, computer systems or computer network. So, regardless of the intent or the effect of such access, certain penalties may be attracted.
• Access to the internet for commercial transactions will increasingly be through non-computer or non-PC devices such as cell phones but the Act defines a "computer " in a manner which may not include such devices.
• Terms such as "asymmetric crypto system" need simple non-technical explanations, using diagrams and pictures to illustrate them.

Issues

• Should the Act have defined "access" in a manner which makes it clear that only where such access is with an intent to do an unauthorized or potentially harmful act or results in such harm, will the penal provisions of the Act be applicable?
• Should the Act have used and defined the term "information system" rather than a "computer"?
• Should the Act or the rules and regulations under the Act illustrate (using diagrams and examples) technical terms such as "asymmetric crypto systems"?

Digital Signature

The Act permits a subscriber, i.e. a person in whose name a Digital Signature Certificate is issued, to authenticate an electronic record by affixing his digital signature, i.e., the Act, unlike those in certain other countries, has not adopted a strictly technology- neutral mode.

Issues

Instead of being specific about digital signatures, do you think the Act should have used some generic definitions to allow for recognition of new methods of electronic signatures which technological advances may provide? (for example, certain countries have adopted definitions which recognize electronic signatures with the following attributes: an electronic signature unique to the person using it, capable of verification, under the sole control of the person using it and linked to the data in such manner that if the data is changed, the signature is invalidated.)

[Intended to stimulate thought and debate. Not intended as legal or other advice]

Electronic governance With respect to electronic governance, the Act provides for the following:

• Any information or other matter which the law requires to be in writing or in printed form, may be rendered or made available in electronic form, in a manner so as to be accessible and usable for subsequent reference.
• Such information or matter can be authenticated by means of a digital signature affixed in a manner prescribed by the central government
• Filing of any form, application or other documents with any office, agency or authority of the government or for the issue or grant of any license or permit by means of such electronic form, as may be prescribed
• Retention of documents, records or information in electronic form, if (i) the information contained therein remains accessible so as to be usable for a subsequent reference (ii) the electronic record is retained in its originally generated, sent or received format or in a format which can be demonstrated to represent, accurately, that format, (iii) the record bears details which will facilitate the identification of the origin, destination, date, time of despatch or receipt of such record
• All rules, regulations, notifications issued by the government may be issued in electronic form

Issues

• Given the varying degrees of readiness of various government agencies and bodies for electronic governance, the Act specifically provides that no right is conferred upon any person to insist that any such body should accept, issue, create, retain or preserve any document in electronic form or transact electronically. What do you think can be done to accelerate the use of electronic transactions by the government?
• How can "electronic governance " bring the government closer to the citizens? And make it more responsive?
• What innovative ideas can we adopt to provide India's illiterate millions with access to government services, using the Internet?

Attribution, acknowledgment and despatch of electronic records

The Act provides:

• That all electronic records sent by an originator, his agent or an information system programmed by or on his behalf are attributable to him
• Offers and acceptances may be by automated means i.e., by computers programmed for such purposes
• For certainty as to time and place of despatch and receipt of electronic records recognising the various possibilities in electronic transactions

Issues

While we are familiar with the concept of a human agent and being bound by the acts of a human agent, the use of automated devices for transacting on our behalf presents new risks, For example, we may find ourselves being bound by an unintended act of the programmed device arising from a software defect or otherwise. What technological and legal safeguards can we envisage to reduce such risks?

Penalties and adjudication

The Act provides the following:

• Damages by way of compensation not exceeding Rs.10 million may be imposed for unauthorised access, unauthorised downloading or copying of data, introduction of computer viruses or contaminants, disruption of systems, denial of access or tampering with or manipulating any computer/network
• Section 77 of the Act does provide that no penalty imposed under the Act shall prevent imposition of any other punishments attracted under any other law for the time being in force.
• Penalties have also been prescribed for failure to furnish information, to file returns and for contravention of rules and regulations prescribed
• Officers not below the rank of directors in the central or state governments will be appointed to act as adjudicating officers in respect of the aforesaid offences

Issues

• Should the Act have stipulated a higher ceiling on compensation, in view of the fact that a computer virus may cause damage running into millions of rupees?
• Should the Act have also provided scope for the government to appoint as adjudicating officers qualified professionals, such as systems and audit specialists, who are not government servants?

Cyber regulations appellate tribunals 

• The Act provides for one or more appellate tribunals (single member — with qualifications equivalent to those of a high court judge or prescribed level of membership of the Indian Legal Service) to hear appeals against any order passed by the controller or adjudicating officer
• The Act provides sole jurisdiction to the adjudicating officer and the tribunal for all suits and proceedings in relation to matters covered by the Act
• An appeal from an order of the tribunal may be made to the appropriate high court
• The controller is empowered to compound any contravention under the Act, subject to the conditions stipulated under the Act.

Issues

Should the Act have provided for two- or three-member benches so that a technical member could be included in such tribunals?

Offences

Apart from the offences stated above which can be investigated and adjudicated upon by an adjudicating officer, certain offences have been specifically set out such as:

Tampering with the computer software source code for which a fine of upto Rs. 2 million and/or imprisonment of upto three years may be imposed

• Hacking of the computer system for which similar penalty may be imposed
• Publishing of obscene matter for which imprisonment may extend upto five years with a fine of upto Rs.1,00,000 (for second and subsequent convictions, imprisonment of upto 10 years and a fine of upto Rs. 2,00,000)
• The government may notify certain computer systems or networks as being "protected systems", unauthorised access to which may be punishable with imprisonment upto 10 years in addition to a fine
• Penalties have also been stipulated for mis-representation to the Controller of Certifying Authorities and for breach of confidentiality and privacy by any regulatory authorities who have access to electronic data under the Act
• Penalties have also been prescribed for publishing false digital signature certificates or for use of such certificates for fraudulent and unlawful purposes

Issues

• In addition to or instead of the many elaborate penal provisions should the Act have provided for notification by the government of guidelines as to acts which constitute the offences referred to in the Act?
• What role do you think education and training will play in curbing offences, especially among the young?

Offences outside India

The provisions of the Act shall also apply to offences or contravention outside India, if such offences or contravention involves a computer, computer system or computer network located in India

Issues

• What jurisdictional and enforcement challenges do you foresee in relation to this provision?
• What new forms of international cooperation should emerge to handle such situations?

Network services providers

Network services providers shall not be liable under this Act for any third party information made available, if they prove that the offence or contravention was committed without their knowledge or that they had exercised all due diligence to prevent such offence

Issues

• Should the government issue guidelines and advisory notifications to provide guidance to network services providers?
• Should such providers attempt self-regulation?

Miscellaneous

Various miscellaneous provisions have been made, including the power to make rules and regulations, but a few of these have special significance, for example;

• A police officer not below the rank of deputy superintendent of police may enter any public place and search and arrest, without a warrant, any person found therein who is reasonably suspected of having committed, or of committing, or of being about to commit, any offence under the Act. Although the definition of a "public place" does not include a cyber cafe, it does appear that such a provision is intended to curb misuse of cyber cafes, which have been proliferating in most Indian cities and towns 
• The Act has over-riding effect notwithstanding anything inconsistent in any other law in force. This could have far- reaching implications under various Acts.
• In respect of offences by companies, in addition to the company, every person who, at the time the contravention was committed, was in charge of, and was responsible to the company for the conduct of the business of the company, shall be guilty of the contravention, unless he proves that the contravention took place without his knowledge or that he exercised all due diligence to prevent such contravention. The burden of the proof shifts to the director or the officer, which is unfair and is not consistent with the Model Law.
• Anticipating difficulties in implementing the Act, the government has reserved the right to issue the orders to remove any difficulty

Issues

• Do you think the provision empowering certain police officers to search and arrest without a warrant will be misused? What safeguards do you suggest?
• The Act has over-riding effect over other laws and this could have far reaching implications -- can you envisage some such implications? For example,  in company law or the laws relating to income tax, sales tax etc?
• Should the provision regarding offences by companies be amended to make it more fair and reasonable to persons in charge of the business -- especially since most such people would have little knowledge of the technicalities involved in electronic transactions?

Amendments to other Acts

The Act provides for amendments to:

• The Indian Penal Code to provide for the recognition of electronic records and documents in court proceedings and to cover offences in respect of documents in electronic form
• Indian Evidence Act to provide for recognition and evidentiary presumptions in respect of electronic records, for the admissibility of electronic records in courts of law, for evidentiary presumptions in respect of secured electronic records and secured digital signatures and for proof or verification as to digital signatures
• Bankers’ Books Evidence Act and the Reserve Bank of India Act to facilitate maintenance of banking records in electronic form and the regulation of funds transfers through electronic means, respectively

Conclusion

In the next article, we shall take a look at the key provisions facilitating electronic transactions -- digital signatures, digital signature certificates, certifying authorities and related aspects which form the core of this new Act.

Meanwhile, please send in your responses to Yolynd Lobo at yolynd.lobo@tatainfotech.com. We look forward to them.

Please also look out for comments by legal and business leaders on the issues raised in this article.

Subramaniam Vutha is senior vice president (secretarial and legal) with Tata Infotech Ltd, Mumbai. A graduate in commerce and postgraduate in law, Subramaniam is a member and Indian correspondent for the International Bulletin of the Computer Law Association's magazine, and a contributor to the World Internet Law Report, a publication of BNA International Inc., London. He was recently invited to join their advisory board.

He is also a speaker and contributor on intellectual property rights, e-commerce and information technology law issues, and a member of the Confederation of Indian Industries’ working group on TRIPS (Agreement on Trade-Related Aspects of Intellectual Property Rights).