IT Act, 2000 -Implémentation, challenges & Role of AdjudicatingAuthority

National Workshop on handling cybercrimes, Feb 1,2014 on handling cybercrimes, 1st Feb 2014Karnika SethCyberlaw expert, Advocate Supreme Court of IndiaKarnika Seth

Presentation plan• Present an overview of IT Act,2000• Major changes brought about by the IT

(Amendment) Act,2008 • Challenges posed by the IT Act,2000• Discuss existing lacunae/clarifications required

in the IT Act,2000• Recommend Strategies for effective enforcement

of the Act by Adjudicating officers

IT Act,2000• The Act was passed in India in 2000• based on Model law of e-commerce adopted by

UNCITRAL in 1996• Three fold objectives in Preamble-• Legal recognition for e-transactions• Facilitate electronic filing of documents with

govt agencies• To amend certain acts such as IPC,1860,

Evidence Act,1872,etc

Main Features of IT Act,2000

• Conferred legal validity and recognition to electronic documents & digital signatures ( Section 4&5 IT Act,2000)

• Legal recognition to e-contracts ( Section 10A)• Set up Regulatory regime to supervise Certifying

Authorities (chapter VI)• Laid down civil and criminal liabilities for

contravention of provisions of IT Act,2000(chapter IX, XI)

• Provisions on Liability of intermediaries (chapterXII)

• Act to have overriding effect (section 81)

Need for amendments• Diversifying nature of cybercrimes –all were not dealt with under IT

Act,2000-cyber terrorism, spamming, MMS attacks,etc

• Use of wireless technology had no mention in definition of “computer network” in S2(j)

• Previously Digital signatures only method for authentication .

• Definition of ‘intermediary’ and their liability required clarification.

• Grey areas-Power of execution- Adjudicating authority

• No appointed statutory authority for supervising cyber security of protected systems

• Power to investigate offences –only DSP and above• Power to intercept & decrypt information limited under Section 69

Important definitions added in amended Act• Section 2 (ha)- communication device-includes

cell phones, PDA,etc• Section 2 (j) computer network –

interconnection through wireless added • Section 2 (na) cybercafe • Section 2(w)- intermediary- includes search

engines, web hosting service providers, online auction sites,telecom service providers etc

Determining jurisdiction• Section 1(2) and 75 of IT Act ,2000.

• Section4 IPC-offence committed outside India by citizen of India, on a ship/aircraft registered in India, any person in any place committing offence targeting computer resource in India-IT Act applies

• In a recent case, Super cassettes industries ltd v My space inc 2011 (48) PTC 49, the High court of Delhi dealt with a case for copyright infringement wherein plaintiff alleged that infringing songs and videos were uploaded on defendant's website that directly infringed its copyright in the said works. The court dealt with issue of lack of jurisdiction wherein the defendants interalia contended:

a) The defendant No.1 is a foreign national and engaged in business outside the jurisdiction of this court

b) No part of cause of action has arisen with in the territorial jurisdiction of the court.

Super cassettes industries ltd v My space inc 2011 (48) PTC 49

• The court held that even assuming that the rules of private international law may have any role to play, the same stands overridden by the express provision of the special Act which is Section 62 Copyright Act, 1957 which entitles the plaintiff to sue at the place of its own forum.

• Also, the court applied principle of interactivity of website and targeting of customers in India to assume jurisdiction to decide the matter.

• Also , court held that IT Act does not exclude the jurisdiction of civil courts in copyright infringement cases in view of Section 81 of IT Act

• See case of Nirmaljit Singh Narula vs Hubpages.com( Delhi High court , order dated 30 March 2012) wherein a foreign website was temporarily injuncted from publishing defamatory posts about an Indian Public figure .

Determining Jurisdiction-criminal matters • Place of inquiry/trial- Section 177- where offence was

committed.• Section 178 -offence committed in more than one

jurisdiction- any of the relevant jurisdictions• Section 178- act where it is done and consequence where

felt- any of these jurisdictions• Section 181-theft, stolen property, extortion- where

committed, stolen property is possessed• Offences committed by letters, messages- where

sent/received • Section 188 -offence committed outside India by citizen

of India, on a ship/aircraft registered in India trial as if committed in India with prior sanction of central government.

• Section 468 -period of limitation to take cognizance.

Attribution, Acknowledgement and dispatch of electronic records

• Section 11 -Attribution of electronic records-• Originator/authorised agent/automated software

• Section 12 -Acknowledgement of receipt-if manner of acknowledgement not specified-any communication/conduct suffice. If specified that will be binding only when acknowledged in a particular manner, it needs to be fulfilled

• Section 13-Time & place of dispatch and receipt of electronic record- save as otherwise agreed, dispatch occurs when it enters computer resource outside the control of originator. If sent to designated resource, receipt occurs when message enters such resource.

Corporate Responsibility introduced in Section 43A• Applies to Corporate bodies

handling sensitive personal information or data in a computer resource

• No limit to compensation claim

• Corporates to adopt ‘reasonable security practices’ ‘sensitive personal information’ includes financial information , password, pin, etc

• Will help combat data theft, credit card and IP frauds

• To be r/w Section 85 IT Act,2000

Section 43A• To protect sensitive personal data from

unauthorized access, damage, use, modification, disclosure,or impairment

• ‘Reasonable security practices’ as may be specified by agreement between parties

• Or Specified by any law• Or Prescribed by Central Govt in consultation with

professional bodies –recommended ISO270001 • Sensitive personal data per Rules of 2011 relate to

password, medical record, financial details,creditcard /debit card info, sexual inclination, biomretricdata etc

Amended Section 43 –cyber contraventions• Earlier Section 43 –contraventions-actus reus and

Section 66-mens rea +actus reus• Amended Section 43 , insertion of Section 43 (i) and

(j)- requirement of mens rea with actus reus• Section 43(j) uses words “stealing” and “intention to

cause damage”. Same acts when committed ‘dishonestly’ or ‘fraudulently’ are placed under Section 66.

• Intent is to punish under section 66 and compensate for loss for same acts in S.43.Amended Section 43 removed ceiling limit of one crore for compensation

• Penalty and compensation- recovery of amount as penal measure.

Amended Section 43 (j)• If any person without permission of the owner

or any other person who is incharge of a computer,computer system or computer network….steal, conceals,destroys or alters or causes any person to steal, conceal, destroy, or alter any computer source code used for a computer resource with an intention to cause damage…he shall be liable to pay damages by way of compensation to the person so affected.

Recent amendments & Role of Adjudicating Authority • The Subject matter of its jurisdiction is widened –

adjudging more contraventions under Section 43,43A• Power to impose penalty & award compensation both• Excludes jurisdiction from matters where compensation

claimed is more than 5 crores• Quantum of compensation –discretion of adjudicating

officer-• objective criteria laid down for guidance maintained-

Amount of unfair advantage gained, amount of loss, repetitive nature of default

• IT (qualification and experience of adjudicating officers and manner of holding enquiry ) Rules ,2003

The role of Adjudicating Authority & challenges –IT Act & Rules

• Contravention can be reported by aggrieved person , govt agency or suomoto action• Reliance on documentary evidence, investigation reports , other evidence• Impose fine for frivolous complaints• Can take assistance of another adjudicating officer and use online infrastructure for dispute

/enquiry-should have online hearings• Try to decide matter within 4-6 months.• Should transfer case to magistrate if requires punishment but police should also do

the same-transfer case to Adjudicating authority or advise complainant that a civil remedy also lies .Maintain both if facts are such .

• Difficulty in service of notices- fake identity/ address while registering domain names

• Compounding of contraventions ( section 63)• Civil court jurisdiction barred ( section 61)• Powers of Civil court and Section 46(5)© confers power of execution of orders passed by it-

attachment of property, arrest & detention of accused, appointment of receiver- greater enforceability

• Section 57- Appeals from decision of Adjudicating Authority and Controller may be filed with Cyber Appellate Tribunal

Power of Adjudicating Authority to grant injunction orders?• Section 46(5)IT Act read with Section 58 (2) Adjudicating

authority ought to have power to grant interim injunction?• One argument is that since it cannot grant final injunction –

no interim injunction can be granted.• Rules for holding enquiry also donot provide adjudicating

officer can grant injunction orders• In a case that falls under IT Act and not copyright Act, and if it

is not confidential information, Section 61 would bar jurisdiction of civil courts. That in my view cannot be correct reading and will defeat objective of the Act.

• This reading that there is no power to grant injunction with adjudicating officer is leading to multiplicity of litigation. But see Rule 9 of IT (Qualification & Experience...)Rules, 2003 –”duplicity to be avoided”

Rule 9 of IT (Qualification and Experience...)Rules, 2003• “When an adjudication into a matter of

contravention is pending before an Adjudicating officer, same matter shall not be pursued before any court or Tribunal or Authority in any proceeding whatsoever and if there is already filed a report in relation to the same matter, the proceedings before such other court ,Tribunal or authority shall be deemed to be withdrawn.”

• Also, Section 86, 87 of IT Act confer power on central govt to remove difficulties and make new rules to cover more powers of civil court to be prescribed under Section 58(2) IT Act,2000.

• An express clarification to this effect is imperative

New/amended Cyber offences under amended IT Act,2000

Hacking –Section 66

Sending of offensive false messages(s.66A)

Identity theft

(s. 66C)

Cheating by personation (s.66D)

Violation of privacy (s.66E)

Cyber terrorism

(s.66F)

Publishing sexually explicit content(s. 67A)

Child pornography

(s.67B)

Stolen computer resource(s.66B)

Attempt to commit an offence (s.84C)

Abetment to commit an offence(s.84B)

Cognisability & bailability • Most offences introduced by the 2008 amendments

prescribe punishment of upto 3 yrs , fine of one lac/2 lac• For hacking term of imprisonment remains upto 3yrs

but fine increased from 2 lakhs to 5 lacs• In S.67 imprisonment term reduced from 5 yrs to three

yrs. Fine increased from one lac to 5 lacs.• Most Offences are cognisable but bailable-upto 3 years

punishment-bailable-Section 77B• This is a new challenge for cyberlaw enforcement

authorities- need quick action by trained investigators to collect and preserve evidence as probability of tampering increases .

Collection of evidence streamlined• Section 67C- Intermediaries bound to preserve

and retain such information as Central govtprescribes, for prescribed duration-contravention punishable with upto 2yrs imprisonment ,upto one lac fine or both- no mandatory period prescribed yet.

• Accountability of service providers increased-Section 72A added-disclosure of information in breach of lawful contract-punishment upto 3 years , fine upto 5 lakh or both

Collection of evidence streamlined• Section 69 -Power of Central Govt to intercept,

monitor, decrypt information • IT (procedure and safeguards for interception,

monitoring and decryption of Information) Rules, 2009.

• Non-cooperating Subscriber or intermediary -liable to punishment of upto 7 yrs imprisonment and fine is added by amendment.

• Maintenance of confidentiality, due authorisation process, exercise power with caution.

Collection of evidence streamlined• Section 69 B added- confers power on central govt to appoint any

agency to monitor and collect traffic data or information generated,transmitted,received,or stored in any computer resource

• Use in order to enhance cyber security& identification,analysis and prevention of intrusion or spread of computer contaminant

• IT (procedure and safeguards for monitoring and collecting traffic data or information) Rules ,2009

• Responsibility to maintain confidentiality-intermediaries.• Authorisation procedures laid down• Review committee provision,destruction of records• Non cooperating intermediary-liable to punishment –term upto 3

yrs and fine.• Helpful in curbing cyber terrorism cases –power exercise with

caution-right to privacy may be affected.

Strengthening India’s cyber security• Section 70- protected systems- takes within its cover

the ‘Critical Information Infrastructure’• Computer resource, incapacitation or destruction of

which has debilitating impact on national security,economy,public health, safety.

• CERT appointed as Nodal Agency for incident response-Section 70B

• Multiple roles- alert system ,response team, issuing guidelines ,reporting incidents

• Non cooperating service providers, intermediaries,etcpunishable with term upto one year or fine upto one lacor both

• Excludes jurisdiction of court

EEE’s role • Examiner of Electronic Evidence created in

Section 79A• Central Government empowered to appoint this

agency• To provide expert opinion on electronic form of

evidence.• “electronic form evidence” –inclusive definition-

computer evidence, digital audio, digital video, cellphone, fax machines-information stored, transmitted in electronic form

• One EEE should be set up/appointed in every State

Power of investigation

• Confiscation – Section 76• Power to investigate offences -inspector and

above rank• Power to conduct search & seizure- Section 80 -

public place search without warrant on suspicion.

Amendments- Indian Evidence Act 1872

• Section 3 of the Evidence Act amended to take care of admissibility of ER as evidence along with the paper based records.

• Section 4 of IT Act confers legal recognition to electronic records

• Section79A of the IT Amendment Act ,2008 defines electronic evidence .includes computer evidence, digital audio/video, cellphones, digital fax machines

Sections of Evidence Act,1872• Section 47A- opinion of Certifying Authority with respect to

Electronic signatures• Section 67A- mandates proof of electronic signature of

subscriber• Section 85A- presumption in favour of electronic signature on

an electronic record purporting to be an agreement containing electronic signature

• Section 85C -presumption in favour of certain information listed in Electronic signature certificate

• Section 90A- presumption in favour of electronic signature on electronic record that is 5yrs old

• Section 73A-proof of digital signature • Section 45A opinion of Examiner of Electronic Evidence

Societe Des products Nestle SA case2006 (33 ) PTC 469

• By virtue of provision of Section 65A, the contents of electronic records may be proved in evidence by parties in accordance with provision of 65B.

• Held- Sub section (1) of section 65B makes admissible as a document, paper print out of electronic records subject to fulfillment of conditions specified in subsection 2 of Section 65B .

a) The computer from which the record is generated was regularly used to store or process information in respect of activity regularly carried on by person having lawful control over the period,

b) Information was fed in the computer in the ordinary course of the activities of the person having lawful control over the computer.

c) The computer was operating properly, and if not, was not such as to affect the electronic record or its accuracy.

d) Information reproduced is such as is fed into computer in the ordinary course of activity.

• In the context of Section 65B(2)(c) the condition that throughout the material part of the period to which the computer operations related, the computer was operating properly has to be complied with.

• Secondary evidence can be led –apart from certification procedure in Section 65B(d)• State v Mohd Afzal,

2003 (7) AD (Delhi)1

Liability of ISP revisited• Under earlier Section 79, network service providers were liable for

third party content only if they failed to prove offence was committed without knowledge or due diligence was exercised. Burden of proof was on Network service provider.

• The amended section excludes certain service providers and holds intermediary liable only if he has conspired , abetted or induced whether by threats or promise or otherwise in the commission of unlawful act (S.79(3)(a).)

• Onus to prove conspiracy, abetment, is shifted on Complainant.• Intermediary is liable also if on receipt of actual knowledge or on

receipt of intimation from govt agency, it fails to remove or disable such website’s access.

Bazee.com case-cyberporn• Required user to register on site• Seller to post item & write description• Telephonic verification of seller• Safety and trust division ran objectionable material filter check• Bazee .com received commission on sales• Ravi Raj was registered user with e-mail id psell@sify.com• He used new name as Alice Electronics gave a kharakpur address sold item under books

and magazines• Word ‘sex ‘at serial 23 of filter list , sexual at ’70’ still listing took place • Seller on receiving confirmation of payment will mail it as e-mail attachment to buyer

‘dps_rkpuram-sex-scandle.zip’• On 27th nov 2004 e-mail received from Amit vohra intimating the illegal activity , on 29th it

was closed.-sold 8 copies• Avnish Bajaj arrested.• As regards Section 292, no vicarious liability of director but under Section 67, read with

Section 85, director is primafacie liable .-listing primafacie obscene. “Delhi girls having fun”

Aneeta Hada v M/s. Godfather Travels & Tours• Thereafter, in Aneeta Hada v M/s. Godfather Travels & Tours (P)

ltd 2012 (5) SCC 661, the Hon'ble Supreme court considered criminal appeal no.1483 of 2009 titled Avjnish Bajaj v State along with other criminal appeals involving same question of law,whethera director can be held liable even where a company is not arraigned as an accused .

• The Hon'ble court took the view that under Section 85 of the Information Technology Act,2000,which provides for deemed liability of directors incase of offences committed by companies, a director cannot be held liable without impleading the company as an accused.

• The court quashed the proceedings against the appellant director as the company was not even arraigned as an accused. The court applied the doctrine of strict construction, and took the view that commission of offence by the company is an express condition precedent to attract the vicarious liability of others.

New challenges-blocking illegal content• Blocking of unlawful websites –three options-Section 69A,

civil court directs blocking, or 36 hr mandate to intermediaries

• Power lies with Central Govt or any authorised officer• Grounds for blocking fairly wide- issue of censorship vs free

flow of information• Information Technology (procedure and safeguards for

blocking for access of information by public) Rules 2009-36 hr mandate

• Websites containing hate speech, defamatory matter, slander, promoting gambling, racism ,violence, terrorism, pornography, can be reasonably blocked

• Blocking of websites also possible by court order• Calls for cooperation from intermediary-non cooperation-

punishable offence-term 7 yrs, fine

Imparting legal & technical training to law enforcement personnel

Make online hearings possible through videoconferencing.

Police need to inform adjudicating officer & complainant of cases in which damages can be claimed by complainantPower to grant injunctions-clarification –Adjudicating authorityImmediate rulemaking in S.67C-intermediary to preserve information-mandatory period to be prescribed

Strategies for effective enforcement of cyberlaws by Adjudicating Authority

Thank you!

SETH ASSOCIATESADVOCATES AND LEGAL CONSULTANTS

New Delhi Law Office:C-1/16, Daryaganj, New Delhi-110002, India

Tel:+91 (11) 65352272, +91 9868119137Corporate Law Office:

B-10, Sector 40, NOIDA-201301, N.C.R ,IndiaTel: +91 (120) 4352846, +91 9810155766

Fax: +91 (120) 4331304E-mail: mail@sethassociates.com