The first question that a student of cyber law will ask is whether there is a need for a separate field of law to cover cyberspace. Isn’t conventional law adequate to cover cyberspace?
Let us consider cases where so called conventional crimes are carried out using computers or the Internet as a tool. Consider cases of spread of pornographic material, criminal threats delivered via email, websites that defame someone or spread racial hatred etc. In all these cases, the computer is merely incidental to the crime. Distributing pamphlets promoting racial enmity is in essence similar to putting up a website promoting such ill feelings.
Of course it can be argued that when technology is used to commit such crimes, the effect and spread of the crime increases enormously. Printing and distributing pamphlets even in one locality is a time consuming and expensive task while putting up a globally accessible website is very easy.
In such cases it can be argued that conventional law can handle cyber cases. The Government can simply impose a stricter liability (by way of imprisonment and fines) if the crime is committed using certain specified technologies. A simplified example would be stating that spreading pornography by electronic means should be punished more severely than spreading pornography by conventional means .
As long as we are dealing with such issues, conventional law would be adequate. The challenges emerge when we deal with more complex issues such as ‘theft’ of data. Under conventional law, theft relates to “movable property being taken out of the possession of someone” .
Movable property is defined by the General Clauses Act, 1897 as “property of every description, except immovable property”. The same law defines immovable property as “land, benefits to arise out of land, and things attached to the earth, or permanently fastened to anything attached to the earth. Using these definitions, we can say that the computer is movable property.
Let us examine how such a law would apply to a scenario where data is ‘stolen’. Consider my personal computer on which I have stored some information. Let us presume that some unauthorised person picks up my computer and takes it away without my permission. Has he committed theft? The elements to consider are whether some movable property has been taken out of the possession of someone. The computer is a movable property and I am the legal owner entitled to possess it. The thief has dishonestly taken this movable property out of my possession. It is theft.
Now consider that some unauthorised person simply copies the data from my computer onto his pen drive. Would this be theft? Presuming that the intangible data is movable property, the concept of theft would still not apply as the possession of the data has not been taken from me. I still have the ‘original’ data on the computer under my control. The ‘thief’ simply has a ‘copy’ of that data. In the digital world, the copy and the original are indistinguishable in almost every case.
Consider another illustration on the issue of ‘possession’ of data. I use the email account [email protected] for personal communication. Naturally a lot of emails, images, documents etc are sent and received by me using this account. The first question is, who ‘possesses’ this email account? Is it me because I have the username and password needed to ‘login’ and view the emails? Or is it Google Inc, because the emails are stored on their computers?
Another question would arise if some unauthorised person obtains my password can it be said that now that person is also in possession of my emails, because he has the password to ‘login’ and view the emails?
Another legal challenge emerges because of the ‘mobility’ of data. Let us consider an example of international trade in the conventional world. Sameer purchases steel from a factory in China, uses the steel to manufacture nails in a factory in India and then sells the nails to a trader in USA. The various Governments can easily regulate and impose taxes at various stages of this business process.
Now consider that Sameer has shifted to an ‘online’ business. He sits in his house in Pune (India) and uses his computer to create pirated versions of expensive software. He then sells this pirated software through a website (hosted on a server located in Russia). People from all over the world can visit Sameer’s website and purchase the pirated software. Sameer collects the money using a Paypal account that is linked to his bank account in a tax haven country like the Cayman Islands.
It would be extremely difficult for any Government to trace Sameer’s activities.
It is for these and other complexities that conventional law is unfit to handle issues relating to cyberspace. This brings in the need for a separate branch of law to tackle cyberspace.
Jurisprudence of Indian Cyber Law
Note: The Act, rules, regulations, orders etc referred to in this section are discussed in more detail in Chapter 3 titled “Introduction to Indian Cyber Law”.
The primary source of cyber law in India is the Information Technology Act, 2000 (IT Act) which came into force on 17 October 2000.
The primary purpose of the Act is to provide legal recognition to electronic commerce and to facilitate filing of electronic records with the Government.
The IT Act also penalizes various cyber crimes and provides strict punishments (imprisonment terms upto 10 years and compensation up to Rs 1 crore).
An Executive Order dated 12 September 2002 contained instructions relating to provisions of the Act with regard to protected systems and application for the issue of a Digital Signature Certificate.
Minor errors in the Act were rectified by the Information Technology (Removal of Difficulties) Order, 2002 which was passed on 19 September 2002.
The IT Act was amended by the Negotiable Instruments (Amendments and Miscellaneous Provisions) Act, 2002. This introduced the concept of electronic cheques and truncated cheques.
Information Technology (Use of Electronic Records and Digital Signatures) Rules, 2004 has provided the necessary legal framework for filing of documents with the Government as well as issue of licenses by the Government.
It also provides for payment and receipt of fees in relation to the Government bodies.
On the same day, the Information Technology (Certifying Authorities) Rules, 2000 also came into force.
These rules prescribe the eligibility, appointment and working of Certifying Authorities (CAs). These rules also lay down the technical standards, procedures and security methods to be used by a CA.
These rules were amended in 2003, 2004 and 2006.
Information Technology (Certifying Authority) Regulations, 2001 came into force on 9 July 2001. They provide further technical standards and procedures to be used by a CA.
Two important guidelines relating to CAs were issued. The first are the Guidelines for submission of application for license to operate as a Certifying Authority under the IT Act. These guidelines were issued on 9 July 2001.
Next were the Guidelines for submission of certificates and certification revocation lists to the Controller of Certifying Authorities for publishing in the National Repository of Digital Certificates. These were issued on 16 December 2002.
The Cyber Regulations Appellate Tribunal (Procedure) Rules, 2000 also came into force on 17 October 2000.
These rules prescribe the appointment and working of the Cyber Regulations Appellate Tribunal (CRAT) whose primary role is to hear appeals against orders of the Adjudicating Officers.
The Cyber Regulations Appellate Tribunal (Salary, Allowances and other terms and conditions of service of Presiding Officer) Rules, 2003 prescribe the salary, allowances and other terms for the Presiding Officer of the CRAT.
Information Technology (Other powers of Civil Court vested in Cyber Appellate Tribunal) Rules 2003 provided some additional powers to the CRAT.
On 17 March 2003, the Information Technology (Qualification and Experience of Adjudicating Officers and Manner of Holding Enquiry) Rules, 2003 were passed.
These rules prescribe the qualifications required for Adjudicating Officers. Their chief responsibility under the IT Act is to adjudicate on cases such as unauthorized access, unauthorized copying of data, spread of viruses, denial of service attacks, disruption of computers, computer manipulation etc.
These rules also prescribe the manner and mode of inquiry and adjudication by these officers.
The appointment of adjudicating officers to decide the fate of multi-crore cyber crime cases in India was the result of the public interest litigation filed by students of Asian School of Cyber Laws (ASCL).
The Government had not appointed the Adjudicating Officers or the Cyber Regulations Appellate Tribunal for almost 2 years after the IT Act had come into force. This prompted ASCL students to file a Public Interest Litigation (PIL) in the Bombay High Court asking for speedy appointment of Adjudicating officers.
The Bombay High Court, in its order dated 9 October 2002, directed the Central Government to announce the appointment of adjudicating officers in the public media to make people aware of the appointments. The division bench of the Mumbai High Court consisting of Hon’ble Justice A.P. Shah and Hon’ble Justice Ranjana Desai also ordered that the Cyber Regulations Appellate Tribunal be constituted within a reasonable time frame.
Following this the Central Government passed an order dated 23 March 2003 appointing the “Secretary of Department of Information Technology of each of the States or of Union Territories” of India as the adjudicating officer for that State or Union Territory.
The Information Technology (Security Procedure) Rules, 2004 came into force on 29 October 2004. They prescribe provisions relating to secure digital signatures and secure electronic records.
Also relevant are the Information Technology (Other Standards) Rules, 2003.
An important order relating to blocking of websites was passed on 27 February, 2003.
Computer Emergency Response Team (CERT-IND) can instruct Department of Telecommunications (DoT) to block a website.
The Indian Penal Code (as amended by the IT Act) penalizes several cyber crimes. These include forgery of electronic records, cyber frauds, destroying electronic evidence etc.
Digital evidence is to be collected and proven in court as per the provisions of the Indian Evidence Act (as amended by the IT Act).
In case of bank records, the provisions of the Bankers’ Book Evidence Act (as amended by the IT Act) are relevant.
Investigation and adjudication of cyber crimes is done in accordance with the provisions of the Code of Criminal Procedure and the IT Act. The Reserve Bank of India Act was also amended by the IT Act.
The Information Technology (Amendment) Act, 2008, which came into force on 27th October, 2009 has made sweeping changes to the Information Technology Act, 2000.
The following rules have also come into force on the same day: (1) Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 (2) Information Technology (Procedure and Safeguard for Monitoring and Collecting Traffic Data or Information) Rules, 2009 (3) Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009 (4) The Cyber Appellate Tribunal (Salary, Allowances and Other Terms and Conditions of Service of Chairperson and Members) Rules, 2009 (5) Cyber Appellate Tribunal (Procedure for Investigation of Misbehavior or Incapacity of Chairperson and Members) Rules, 2009.