Changes to the IT Act will enable it to crack down on cyber offences strongly but the law is ‘soft’ in parts, say experts..
When it comes to spamming, the grouse is that the relevant Section (Section 66 A) would only apply if the identity of the spammer is established.
Moumita Bakshi Chatterjee
Nearly three years after it was introduced in the Lok Sabha and almost a year after it received a green signal from both Houses of Parliament, the IT (Amendment) Act, 2008 has come into force. The amendment allows the Government to go after new-age cyber criminals and crimes — identity theft, cyber-stalking, cyber harassment, child pornography and spamming — and also gives it more ammunition to tackle cyber terrorism.
But legal eagles say the changes have turned out to be a bitter-sweet pill. While the cyber law zeroes in on new forms of crime, it has toned down punishment in the case of certain offences. Critics further caution that the new legislation arms the State with sweeping powers to block Web sites and snoop, but has not built in adequate safeguards to check possible misuse of such powers.
First, the good news. Clearly, one of the most important changes that have been brought about pertains to cyber terrorism, with Section 66 F of the amended legislation prescribing life imprisonment for such offences. This assumes significance as the recent terror attacks have demonstrated just how tech-savvy militants can be.
Be it the Parliament attack or the more recent Mumbai terror strike, the use of technology — from satellite phones, e-mails, Internet to the more sophisticated GPS equipment — has been rampant. Experts opine that the amendments that have come into force now have penned down the widest possible definition of cyber terrorism even by global standards. “In that sense, India has taken thought leadership in clamping down on cyber terrorism,” says an industry watcher.
To quote the section verbatim, “whoever, knowingly or intentionally penetrates or accesses a computer resource without authorisation or exceeding authorised access, and by means of such conduct obtains access to information, data or computer database that is restricted for reasons of security of the State or foreign relations; or any restricted information, data or computer database, with reasons to believe that such information, data or computer database so obtained may be used to cause or likely to cause injury to the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign states, public order, decency or morality or in relation to contempt of court, defamation or incitement to an offence, or to advantage of any foreign nation, group of individuals or otherwise commits the offence of cyber terrorism.”
Cyber law experts have dubbed the new Section as the crowning glory of the legislation.
“The original IT Act did not have relevant teeth to deal with cyber terrorism. It now provides an additional remedy for booking cyber terrorism, where perpetrators leverage electronic formats and technology to execute terror attacks,” they say.
At the same time, the amendments have expanded the scope of the Act beyond the ambit of computer and computer network to specifically include “communication device” — mobile phones, PDAs or any other device used to communicate, send or transmit any text, video, audio or images. In one swift move, this has brought mobile users under the scanner. Earlier too, mobiles were considered to be under the wide definition of “computer” but now, inserting a clause on “communication devices”, has left no doubt about the scope of the Act.
Breather for intermediaries
Another contentious clause that has been tweaked pertains to the liability of intermediaries. Remember the controversial arrest of Baazee.com CEO in December 2004 in a case involving the sale of a sexually explicit MMS clip, on the auction site? Well, the IT (Amendment) Act now provides a breather of sorts to such intermediaries.
Under the original Act, the intermediary was required to prove that the offence was committed without his knowledge or that he had exercised all due diligence to prevent the commission of an offence.
“The amendment shifts the onus of proving the guilt on the law-enforcement agencies instead. It has decimated the liability of intermediaries so long as they observe due diligence and fulfil other parameters of Section 79. On the other hand, it has made the definition of intermediaries more comprehensive to includes auction sites, telecom and network service providers, ISPs, web hosting companies, search engines and online payment sites, among others,” says Pavan Duggal, a noted lawyer and an expert on issues pertaining to cyber regulation.
Casting the net wide
The new legislation casts its net, wide. It now talks in specific terms — sending offensive messages through communication services (spamming), violation of privacy (video voyeurism), Wi-Fi hacking, phishing, identity theft, et al.
“While a few of these offences find mention in the Indian Penal Code (IPC), the IT Act, by providing specific provisions pertaining to those offences such as cheating by impersonation, or criminal intimidation through spamming or sending insulting messages, provides better clarity,” points out Karnika Seth, managing partner of Seth Associates Law firm and author of Cyberlaws in the Information Technology Age.
So far silent on heinous crimes such as child pornography, the amended law clamps down on such offences.
Publishing and transmitting of material depicting children in sexually explicit acts, etc, in electronic form will attract up to five-year imprisonment and a fine of up to Rs 10 lakh on first conviction; and up to seven-year imprisonment and fine of up to Rs 10 lakh on second and subsequent conviction.
‘Soft’ in some portions
However, a section of the legal fraternity feels that notwithstanding its expanded ambit, the law has gone “soft” on cyber crimes.
Barring cyber terrorism and a few other offences, all offences where punishment is up to three years are now bailable. Moreover, in the case of Section 67 dealing with publishing or transmitting obscene material in electronic form, while the original Act stipulated up to five-year imprisonment and Rs 1 lakh fine for the first conviction, it now talks about up to three-year imprisonment and up to Rs 5 lakh fine. Similarly, the term for the second and subsequent conviction stands reduced. “At a time when the world is increasing the quantum of punishment for cyber crimes, India perhaps has the dubious distinction of reducing the punishment,” quips Duggal.
Critics have also spoken out against enhanced powers of the State when it comes to issuing direction for interception or monitoring or decryption of any information through any computer resource; or directions to block public’s access to information generated, transmitted or even hosted in a computer resource.
“The provisions pertaining to blocking of Web sites is an area of concern. Instead of State agencies, the legal system should give the necessary directions. There should be a set process of giving notices and hearing before such blocking takes place,” says e-security expert Vijay Mukhi.
Some analysts are also of the opinion that while Section 43 (A) talks about compensation for failure to protect data — it assigns responsibilities on body corporate, possessing, dealing or handling any sensitive personal data — India should have taken the cue from nations such as the UK that have a distinct and comprehensive legislation dealing with the subject. Their view: a single provision is not adequate to cover the critical issue.
Similarly, when it comes to spamming, the general grouse is that the relevant Section (Section 66 A) would only apply if the identity of the spammer is established — a tall order in itself.
“The US has anti-spam law in the form of Can Spam Act, anti-spam legislations are also in place in Australia and New Zealand. But the Indian IT Act has not addressed this effectively,” says Duggal, adding that these offences should have been covered more exhaustively under the amended legislation.
Still, the law appears to be far more potent now in dealing with new-age cyber crimes than ever before.
But for a country where the conviction for cyber crime has been abysmally low thus far and under-reporting has been the order of the day, just how effective the law turns out remains to be seen.