Research & Opinion
IT Act Anniversary: 20 Years Since India Adopted Cyber Regulations
By Naavi
17th October each year is a day to remember for all those who use computers and mobiles particularly for business or commercial transactions. This is the “Digital Society Day of India” the day digital society was born in India.
It was on 17th October 2000 that India notified Information Technology Act 2000(ITA 2000) which gave legal recognition to electronic documents, digital signatures, and therefore digital contracts. Had we not passed this law, India could not have traversed through the Covid lockdown with all IT Companies continuing to do legally acceptable business with employees working from home, signing online contracts, making online payments etc.
Having completed the eventful 20 years, it is time to reflect whether ITA 2000 has been a robust law that is good enough to server us in the forthcoming decade also. Some provisions of ITA 2000 such as the amendment to Indian Evidence Act and introduction of Section 65B have been an unprecedented innovation that may survive even the coming days of Quantum Computing. Some provisions on digital contracts are good enough even in the days of Artificial Intelligence. Privacy Protection through Data Protection which came into ITA 2000 through the amendments in 2008 have been a moderate success and are getting strengthened with the upcoming Personal Data Protection Act. The introduction of PKI based digital signature and later on the e_Sign system has also served the digital transactions reasonably well.
But, in the area of Cyber Crime control, it appears that ITA 2000 fell short of the expectations. There has been a continuous rise in cyber crimes and with a very low level of convictions, the Cyber Crime law has failed to provide deterrence.
Though the Cyber Crime definitions under Section 66 could handle new generation crimes such as the “Ransomware”, the removal of Section 66A, the raise of social media with fake news, the lack of support from intermediaries in combating cyber crime, the increase in Phishing and Mobile crimes, lack of implementation of Information Security particularly by Banks, failure to take control of the Domain Name related crimes, surging use of Bitcoins as the currency of criminals, have been an eye sore to the otherwise shining Digital India.
It is therefore time that we use our experience of the last 20 years of Cyber Laws in India to address some key deficiencies in the ITA 2000 perhaps through further notifications and if necessary, an amendment.
The Government of India has however been very circumspect in making necessary amendments and even in issuing certain notifications. Many times they came up with some good provisions but at the first sign of opposition, withdrew the amendments as if they were guilty of bringing up some illegal law.
For example, when UIDAI wanted to monitor the social media for PR reasons and issued a tender as part of their day to day operations, some un-informed persons went to Supreme Court alleging mass surveillance. The Government had no commitment nor perhaps an understanding of what UIDAI wanted to do and simply withdrew the tender notification. When Government introduced a notification under Section 69A of ITA 2000 notifying some designated authorities who may be provided powers under the Act for surveillance, again the ignorant opposition went to the Supreme Court and equally ignorant Government withdrew the notification. Once again, when a notification was made under Section 79 to moderate the social media and prevent fake news, opposition raised objection and the spineless Government promptly withdrew the notification.
Thus, time and again the Government has shown unwillingness to call the bluff of the opposition and has been happy to introduce some proposed amendment and withdraw it at the first sign of opposition.
As a result, ITA 2000 remains without any improvement since the 2008 amendment. We hope at least on the occasion of the 20th Anniversary of ITA 2000, Government would muster enough courage to be able to introduce some much-needed changes to the law and defend it even if the opposition raises an objection. Afterall whether it is CAA or the Farm Bill, opposition will raise objection and if the Government wants to be decisive, it has to take bold initiatives and fight it out with the opposition and if necessary with the Courts.
In this context, I suggest that there is a need to consider at least Six important changes that need to be made to the ITA 2000/8 at the earliest.
One of the first and foremost is to ensure that social media menace is put on check by preventing “Fake Accounts” and “Fake News”. Presently people misuse two important constitutional rights namely the “Right to Privacy” and “Right to Freedom of Speech”. This has resulted in the Social media vehicles such as Twitter, WhatsApp, FaceBook etc becoming the tools of spreading national unrest. This has been time and again been proved in the fomentation of riots in Delhi and Bangalore and must be curbed with an iron hand.
One of the requirements in this direction is to ensure that opinions in social media are carried only through “Verified Social Media Accounts”. A step has been on this in the forthcoming Personal Data Protection Act (PDPA) which is still a bill to be passed in the Parliament and getting delayed for various reasons. Once fake social media accounts are eliminated, a substantial part of the anti-social activities on the social media will stop.
Secondly, the Government has to undo the error of the Supreme Court in the Shreya Singhal case of scrapping Section 66A. Government has to reintroduce an equivalent provision in the Act where “Offences committed with Messages” is recognized as a category of offence along with “Offences committed with Publishing”.
In the Shreya Singhal Case the Government failed to convince the Court that Section 66A was about “messaging” and addressed cyber stalking, Cyber bullying, Cyber threat, “Cyber extortion”, “Phishing”, “Fake news”, “Cyber defamation” etc. Instead, the Government allowed the Court to consider Section 66A as a provision related to “Publishing” and scrap it for reasons such as “Freedom of Expression”. This is the single most important reason why there is today a free license to use WhatsApp to abuse and threaten the recipient of a message and escape punishments under ITA 2000.
The third important need for amendment is in the area of making “Intermediaries more responsible”. It is extremely important that if we want to bring down Cyber Crimes in the country, the “Intermediaries” like the ISPs, MSPs, Messaging platforms and other intermediaries take steps to mitigate the misuse of the platform.
Law provides for this under Section 79, but implementation is lacking and some useful changes proposed in the amendments in December 2018 was shelved because of the opposition. We need to re-introduce the amended Section 79 rules so that “Tracking” of messages to the source, “Prevention of hiding the identity under false pretence of Privacy”, must be stopped.
Fourthly, there is also a need for the ITA 2000 to take control of Cyber Crimes that occur in the form of “Phishing” through fake websites with domain names registered to confuse the users. This is possible by bringing the “Domain Name Registrars” who are today controlled only by ICANN and have no accountability to Indian law within the provisions applicable to “Intermediaries”.
Fifthly, there is a requirement is to regulate Mobile Apps and Games through an appropriate regulatory mechanism so that fraudulent mobile apps donot get into the play stores and harmful games donot destroy our youngsters. A new regulator such as “Controller of Apps and Games” need to be designated for this purpose.
The Sixth and the most important step required to be taken to reduce Cyber Crimes, is to choke the dark web and criminal activities by banning the currency of the criminals namely the “Crypto Currencies” like the Bitcoin. Bitcoin is an instrument of corruption and there is every reason to believe that the decision makers themselves have been so compromised with this poison and allowed a free play for the crypto currencies to be used for managing the criminal activities. It is the currency of choice for ransomware extortions, financing terrorism as well selling drugs and illegal arms on line.
If the Government of India wants to strengthen the Cyber Crime Prevention system in the country, then an amendment bill should be brought for some of the reasons stated above. Many of these changes actually may not even need amendment of the Act and can be achieved through properly worded notifications.
Let’s hope that the Ministry of Information Technology consults the right kind of specialists and bring out appropriate amendments and there after stay strong and not yield ground to protesters who have nothing else to do.
In the meantime, Let’s remember today as the 20th Anniversary of the “Digital Society of India” and request the Government to celebrate October 17th each year to spread awareness about the Act through appropriate outreach programs.
The writer – Naavi is Data Protection and Data Governance Consultant. He is Chairman, Foundation of Data Protection Professionals in India (FDPPI) and Founder of www.naavi.org