Cybercrimeopedia: New Rules under Information Technology Act

May 9, 2011, by | Start Discussion

Rules under sections 6A, 43A and 79 of the Information Technology Act, 2000 (the IT Act) have recently been notified.

The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 has now come into force.

The amended Information Technology Act has brought in the requirement for almost all entities to undergo an ISO 27001 audits.

We have already seen its features in last edition.

The other rules that have come into force are:-

  1. Information Technology (Electronic Service Delivery) Rules, 2011.
  2. Information Technology (Intermediaries guidelines) Rules, 2011.
  3. Information Technology (Guidelines for Cyber Cafe) Rules, 2011.

Information Technology (Electronic Service Delivery) Rules, 2011

The rules are enacted in exercise of the powers conferred by Section 87 (2) (zg), read with Section 79 (2) of the Information Technology Act, 2000.

Section 87 (2) (zg) empowers Government to make guidelines to be observed by the intermediaries under Section 79 (2) of the Information Technology Act, 2000.

Section 79 (2) reads as under:-

Exemption from liability of intermediary in certain cases

79. (1) Notwithstanding anything contained in any law for the time being in force but subject to the provisions of sub-sections (2) and (3), an intermediary shall not be liable for any third party information, data, or communication link made available or hosted by him.

2) The provisions of sub-section (1) shall apply if—

(a)    the function of the intermediary is limited to providing access to a communication system over which information made available by third parties is transmitted or temporarily stored or hasted; or
(b)    the intermediary does not –

(1)    initiate the transmission,
(2)    select the receiver of the transmission, and
(3)    select or modify the information contained in the transmission;

(c)    the intermediary observes due diligence while discharging his duties under this Act and  also observes such other guidelines as the Central Government may prescribe in this behalf.

he rule introduced “Licencing Agency” as an agency designated by government to issue licences to cyber café for their operation. Hence, from now onwards only Licencing Agency can grant licences to Cyber Cafés.

The rule further explains Identification of Users. It says that user can’t use Computer resource unless he/she establishes their identity by producing any of the document enlisted below:-

  • Identity card issued by any School or College;
  • Photo Credit Card or debit card issued by a Bank or Post Office;
  • Passport;
  • Voters Identity Card;
  • Permanent Account Number (PAN) card issued by Income-Tax Authority;
  • Photo Identity Card issued by the employer or any government agency;
  • Driving License issued by the appropriate government.

It also states that Children (under 18 years) without photo Identity card shall be accompanied by an adult with valid ID card.

The rule has defined “Log Register” as means a register maintained by the Cyber Café for access to computer resource. It states that the Cyber Café shall record and maintain the required information of each user in the log register for a minimum period of one year. The rules also makes it mandatory for Cyber Café to prepare a monthly report of the log register showing date-wise details on the usage of the computer resource and submit a hard and soft copy of the same to the person or agency as directed by the licencing agency by 5th day of every month.

The rule also makes it compulsory for cyber café owners to store and maintain following backups of logs and computer resource records for at least six months for each access or login by any user:-

  • History of websites accessed using computer resource at cyber café
  • Mail server logs
  • Logs of proxy server installed at cyber café
  • Logs of network devices such as router, switches, systems etc. installed at cyber café
  • Logs of firewall or Intrusion Prevention/Detection systems, if installed.

Cyber Café may refer to “Guidelines for auditing and logging – CISG-2008-01” prepared by Indian Computer Emergency Response Team (CERT-In) for any assistance related to logs. This document is available at www.cert-in.org.in.

The rule also describes Management of Physical Layout and computer resource to be maintained by the Cyber Café.

They are as follows:-

  • Partitions of cubicles should not be more than four and half feet in height from the floor level.
  • Screen of all computers other than in partitions should be facing “outwards”, i.e. facing common space.
  • Minors shall not be allowed to sit in cubicles unless they are accompanied by adults.
  • All time clocks in the Cyber Café shall be synchronized to the Indian Standard Time (IST).
  • All the computers in the cyber café shall be equipped with the safety/filtering software so as to the avoid access to the websites relating to pornography, obscenity, terrorism and other objectionable materials.

The rules have authorised an officer, not below the rank of Police Inspector, as authorised by the licensing agency, to check or inspect cyber café and the computer resource or network established therein at any time for the compliance of these rules. It’s a duty of Cyber café owner to co-operate with the office by providing every related document, registers and any necessary information on demand.

Information Technology (Intermediaries guidelines) Rules, 2011

The rules are enacted in exercise of the powers conferred by Section 87 (2) (zg), read with Section 79 (2) of the Information Technology Act, 2000.

Section 87 (2) (zg) empowers Government to make guidelines to be observed by the intermediaries under Section 79 (2) of the Information Technology Act, 2000.

Section 79 (2) reads as under:-

Exemption from liability of intermediary in certain cases

79. (1) Notwithstanding anything contained in any law for the time being in force but subject to the provisions of sub-sections (2) and (3), an intermediary shall not be liable for any third party information, data, or communication link made available or hosted by him.

(2) The provisions of sub-section (1) shall apply if –

(a)    the function of the intermediary is limited to providing access to a communication system over which information made available by third parties is transmitted or temporarily stored or hasted; or
(b)    the intermediary does not –

(1)    initiate the transmission,
(2)    select the receiver of the transmission, and
(3)    select or modify the information contained in the transmission;

(c)    the intermediary observes due diligence while discharging his duties under this Act and  also observes such other guidelines as the Central Government may prescribe in this behalf.

 

The rule has defined the concept of “Blog” for the first time under the IT Act and rules thereunder. It defines “Blog” as, “a type of website, usually maintained by an individual with regular entries of commentary, descriptions of events, or other material such as graphics or video. Usually blog is a shared on-line journal where users can post diary entries about their personal experiences and hobbies.”

It further also defines “Blogger” as “a person who keeps and updates a blog” and “User” as, “any person including blogger who uses any computer resource for the purpose of sharing information, views or otherwise and includes other persons jointly participating in using the computer resource of intermediary.

The rule introduces the concept of “Cyber Security Incident”which means any real or suspected adverse event in relation to cyber security that violates an explicitly or implicitly applicable security policy resulting in unauthorised access, denial of service or disruption, unauthorized use of a computer resource for processing or storage of information or changes to data, information without authorisation.

According to the rule, the intermediary shall observe following due diligence policies while discharging its duties:-

  • The intermediary shall publish the terms and conditions of use of its website, user agreement, privacy policy etc.
  • The intermediary shall notify its users not to use, display, upload, modify, publish, transmit, update, share or store any information that:-
    a)    Violates Intellectual Property Right of another person;
    b)    Is harmful, threatening, abusive, harassing, blasphemous, objectionable, defamatory, vulgar, obscene, pornographic, pedophilic, libelous, invasive of another's privacy, hateful, or racially, ethnically or otherwise objectionable, disparaging, relating or encouraging money laundering or gambling, or otherwise unlawful in any manner whatever;
  • Harmful to minors in any way;
  • Discloses sensitive personal information of other person or to which the user does not have any right to;
  • Causes annoyance or inconvenience or which is grossly offensive or menacing in nature or Impersonate another person, or misleads the addressee about the origin of such messages; (which means it’s a duty of intermediary to notify its users not to spread spam or any other false messages)
  • Contains software viruses or any other computer code, files or programs designed to interrupt, destroy or limit the functionality of any computer resource;
  • Threatens the unity, integrity, defence, security or sovereignty of India, friendly relations with foreign states, or public order or causes incitement to the commission of any cognizable offence or prevents investigation of any offence or is insulting any other nation.

According to the rule all aforementioned clauses should be included in all the relevant user related documents.  Intermediary has a right to terminate the access rights of the users in case users do not comply with the terms of use of the services and privacy policy or any other document.

It’s a duty of intermediary not to host or publish or edit or store any information or shall not initiate the transmission, select the receiver of transmission, and select or modify the information contained in the transmission as specified in sub-rule (2).

In case of violation of any of these clauses it’s a duty of intermediary to immediately remove access to such information. Further the intermediary shall inform the police about such information and preserve the records for 90 days.

It’s a duty of intermediary not to disclose any “sensitive personal information” which is defined under The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 and shall observe all the rules and regulations under the same Rules.

The intermediary shall report cyber security incidents and also share cyber security incidents related information with the Indian Computer Emergency Response Team.

Intermediary shall not deploy or install or modify the technological measures or become party to any such act which may circumvent any law for the time being in force.

`The intermediary shall publish on its website the designated agent to receive notification of claimed infringements.

Sagar is a Law graduate. He is Head at Asian School of Cyber Laws(Maharashtra). He specializes in Cyber Law, Intellectual Property Law and Corporate Law. He teaches at numerous educational institutions across India.

Leave a Reply