India should introduce a single e-commerce bill that covers transactions, computer misuse and fraud
By Sumanjeet Singh
Phishing, a common computer scam, involves a mass e-mail promising a reward in exchange for information. One of the best known phishing attacks in India was the Nigerian General’s Widow e-mail. The target received an e-mail asking for cooperation and a transfer of a few thousand dollars into an account. The money, explained the unseen widow, would help release millions locked up in an account somewhere, millions that would be shared with the gentle soul willing to help.
The first e-mails surfaced several years ago, not just in India but around the world. More sophisticated attacks have been made to resemble bank e-mails asking for account updates. A click on a link directs the victim to a phony website and may give a complete stranger access to bank account numbers and passwords. In recent years, India’s banking sector has struggled to deal with phishing and other computer scams not covered by the Indian IT Act, 2000, the overarching legislation for e-commerce in the country.
A facilitative legal framework is integral to the development of new technologies and new economic activity. A strong policy could boost e-commerce in India by providing a legal and administrative framework to regulate transactions, computer misuse and frauds. The IT Act does some of that but it stops short of being a facilitator. Rather, it provides a framework for existing issues but does not take into account the fast-changing nature of electronic commerce nor its demands for quick legislative enforcement.
In May 2000, both houses of the Indian Parliament passed the Information Technology Bill, 2000, which received presidential assent in August of that year. The law was based on a model developed by the United Nations Commission on International Trade Law (UNCITRAL). Its main objective was to create a simple and transparent environment for the development of e-commerce and the digital economy.
Despite its good intentions, the IT Act has done little to achieve its objectives and the seven years that have passed since its enactment have rendered it even more ineffectual. What’s more, changes in the requirements of this growing sector of the economy have underlined drawbacks that hurt e-commerce and highlighted grey areas that create much confusion.
For example, the Act does not cover electronic payments or how electronic transactions are made. And the ability to process payment fast and easily is integral to ecommerce.
More than that, there is no mention of intellectual property rights or the rights and liabilities of holders of domain names – the basic starting point for e-commerce. It does not provide a framework for cheques, bankers’ orders and pay orders. E-taxation is not considered. New technologies such as wireless application protocol (WAP) and mobile commerce are not taken into consideration.
More significantly for the general public, it makes no allowances for consumer protection and privacy issues.
Indian law is also silent on the very significant issue of disputes regarding domain names, which are registered on a first come first serve basis. Lacking a specific law, this area is now legislated by judicial pronouncements, which have repeatedly underlined the importance and value of domain names and trademark protection.
Signing off
One of the more significant changes the Act did bring about, was giving validity to digital signatures and records used to authenticate electronic communication. In a contemporary analysis of the law, Pavan Duggal, a cyber law expert, explained that the Act helps corporations cut costs, time and manpower by allowing them to file records electronically instead of keeping expensive, bulky and time consuming paper.
In the next step from giving digital documents and signatures legal recognition, the Act modernized the Indian Penal Code, 1860 by extending penalties to electronic crimes. It also included electronic records, printed files and optical storage in the definition of “document” in the Indian Evidence Act, 1872 and set standards for digital signatures and certificates. It also amended the Banker’s Book Evidence Act, 1891, and the Reserve Bank of India Act, 1934.
Most of these changes were underscored by the recognition that one of the most important issues in the context of e-commerce is security. The legislation considers a threat anything that can cause economic hardship to data and network resources by destroying, disclosing or modifying data, blocking services, defrauding or abusing consumers.
The Act creates a new breed of information technology offences, such as source code attacks (sec 65), hacking (sec 66), obscenity (sec 67), failure to comply with the controller’s directions (sec 68), accessing protected systems (sect 70), breaches of privacy or confidentiality (sec 72), publishing false digital signature certificates (sec 73) and making available digital signatures for a fraudulent purpose (sec 74). It also deals with infractions committed outside India by giving regulators the authority to deal with people of any nationality and applying to offences committed outside of India on systems within the country.
The Act also sets the terms of liability for network service providers like Rediff and Yahoo for e-mail or Airtel or Reliance for mobile telephony.
Protecting data
While attempting to comprehend the provisions of the Indian Information Technology Act, 2000 it is important to remember that it is, first and foremost, electronic commerce legislation based on the model law on electronic commerce developed by the United Nations Commission on International Trade Law (UNCITRAL).
The original draft version of the Act was titled Electronic Commerce Bill, in keeping with its prime objectives and duly referring to the Ministry of Commerce from where it came.
Partner
FoxMandal Little
After the Ministry of Information Technology was created, the draft bill was re-christened with its final and rather generic title.
Its main purpose remained the same, however, meeting the functional need to accord electronic records and transactions equal weight in evidence law as traditional paper records.
The legislation remains a milestone in electronic governance in India.
Without a doubt, there have been teething problems based largely on our perspective of the evolving interaction between the law and the new medium. What is the role of e-commerce vis-à-vis offences?
In this realm, education is very important.
Law enforcement needs desperately to understand what constitutes a crime in this new medium. This then creates an urgent need to classify computer offences, and review offence provisions under intellectual property laws to make sure they are in sync with the IT Act.
Some amendments have already been proposed to this end. They are, to a measurable extent, a reaction to recent developments such as service provider liability issues and auction sites, sleazy online clips and the like.
In a large part desirable, as most reactions are, offences under the Act would be compoundable, that is to say, the parties can compound (used differently from the traditional usage of aggravate) the case, or settle it between themselves. This is welcome as most crimes target specific individuals and it would be right for individuals to sort out the situation.
However, problems related to ambiguous phrases in the Act are not solved in the suggested changes.
For instance, one proposed amendment would make it mandatory for companies to include “reasonable security measures” while handling data. But what constitutes “reasonable” is anyone’s guess.
At its core, the Act provides for electronic offences or crimes that are linked to economic loss or detriment. The government would do well to take a leaf from the Guidelines on Cybercrime put forward by the Organization for Economic Cooperation and Development as well as the Council of Europe’s Convention on Cybercrime.
It would also do well to streamline legislation to avoid duplications in different laws. For example, including social offences like pornography in the IT Act is superfluous due to existing provisions in the Penal Code. The inclusion of a provision banning child pornography could well be a case of over legislation considering the blanket ban on pornography included both in the IT Act and in the Indian Penal Code [sec 292].
It is also worth remembering that language and expressions have not changed since 1860. In Macaulay’s footsteps, we outlaw that which is “lascivious” or which “appeals to prurient interest”; reaffirming that nothing has changed in a century and a half of lawmaking.
Despite the best intentions, the proposed amendments ignore the existing international classifications of cyber crimes, identified by the Convention on Cybercrime as offences that should be incorporated into substantive criminal law.
Some of the provisions of the Convention are particularly relevant and include offences against the confidentiality, integrity and availability of computer data and systems such as illegal access, illegal interception, data interference, computer-related offences and fraud, content-related offences, racial hatred and obscenity and infringements of copyright and related rights.
Chapter II of the Convention goes on to canvass procedural matters such as collection and preservation of evidence, production orders, search and seizure, data interception and jurisdictional issues. Chapter III deals with mechanisms for international cooperation.
While an amended version of the Act would strengthen provisions on confidentiality and data privacy, the introduction of the Personal Data Protection Bill, 2006 would take these improvements even further. As of today, data is not really protected in India.
“Data subjects” in India must have rights enshrined in explicit rules with a detailed enforcement mechanism rather than relying on a lone section to do a task better left to an entire piece of legislation.
Rodney D Ryder is a partner with FoxMandal Little, where he heads the Technology Law Practice. He can be reached at rodney.ryder@ foxmandallittle.com
Outstanding issues
Despite creating the beginnings of a regulatory backbone for e-commerce the Act still leaves a number of significant issues unaddressed.
One significant issue for corporations is the issue of data mining. If a company outsources some of its processes, personal information may end up in the hands of a third party. This may be a crime but it is not addressed by the Act.
The theft of software is another concern. Strong copyright enforcement is integral to business development but authorities are often unwilling to investigate or prosecute. In a recent case, graphic design software developer Quark complained that a rival had hacked into its systems and stolen a program from its Mohali facility. Police refused to register a first information report. There is a widespread lack of awareness on the issue, particularly among law enforcement officers.
Jurisdictional problems are also an issue. The Act applies to both the Indian and foreign citizens but the laws are presently covered under civil procedures – not criminal – making enforcement very slow. This deters victims from approaching the cyber crime cell.
Sections of the Act, most notably sec 79, give network service providers virtual immunity if they can prove they did not know their network was being used to commit a criminal act or if they exercised “due diligence” but still failed to prevent the crime.
Auction website Bazee.com, for example, fell under this clause in 2004 when it put on its site an offer for a CD showing “Delhi girls having fun”. The ad was on its site for just over 40 hours until the company was told the CD showed a clip of sex in public schools – an infamous clip known as the Delhi Public School sex clip. Banzee.com’s CEO was arrested and charged under a section of the Act that covers obscene material.
After the Bazee.com episode, Union IT ministry officials privately accepted that their flagship law needs to be amended, if nothing else, in terms of liability.
Advances ignored
Another problem with the Act is that it does not take into account technological advances.
By specifying that only digital signatures can be used to authenticate electronic records it shuts the door on other forms of electronic signatures such as scanned thumbprints or personal identification numbers.
Digital signatures are based on asymmetric key cryptography and current technology makes them safe. Problems could arise if new technologies make them vulnerable.
Given the current pace of innovation this is not an altogether unlikely prospect. Legislation should allow for this possibility or the entire system of e-commerce could, theoretically, collapse.
India was among the first few countries to put in place legislation for e-commerce. Regardless of its problems, the IT Act, 2000 is quite comprehensive and (in some instances) well defined. But issues like intellectual property rights, data protection, domain name disputes, electronic payments, data and consumer protection, privacy and etaxation must be addressed.
More than that, the Act is too complex in some areas (like contract formation) and too narrow in others (such as digital signatures) while over-elaborate attempts to control certification authorities and define technologies stand in stark contrast with the minimalist approaches in other jurisdictions.
E-commerce will, undoubtedly continue to grow in India but unless these legal issues are dealt with, it will not really take off.
The writer, Sumanjeet Singh, is a lecturer at the Omkarananda Institute of Management and Technology and Research Scholar at the Department of Commerce, MD University, Rohtak.
