Q1. Prior to the amendments the IT act was perceived as a toothless tiger against the cyber criminals. Post amendments does the IT act give you a legal shield to battle the menace of cyber crimes?
A. It would not be correct to say that the IT Act was like a toothless tiger before the amendments. It was quite comprehensive even before the amendments. Every legislation has to evolve with time. The evolution process is faster in case of technology related legislations as technological advancements tend to be rapid.
The amendments have rationalized some sections and expanded the scope of the act. For example earlier Section 66 was a section which could be invoked against any crime that "Diminished the value of information residing inside a computer resource". This section has been clarified now with 10 subsections through an integration with Section 43. Sec 66A and 66F are new provisions that add new crimes to the act.
The only point of discussion regarding the dilution or otherwise is that most of the offences are now considered "Bailable". This however may be considered as an attempt to prevent misuse of the act against innocent persons rather than being treated as an attempt to make it easy for offenders to get bail.
Certain provisions in the amended Act will certainly make the fight easier. Allowing an Inspector to investigate crimes under the IT Act instead of a Deputy Superintendent of Police is one of those. In that sense, the amended Act is an improvement upon the original Act.
The biggest change however is that ITA 2008 attempts to create a "Security Culture" in the society with the creation of a "Security Management Infrastructure" by prescribing "Reasonable Security Practices" and expanding the concept of "Due Diligence" applicable to companies and Intermediaries. By assuming certain powers under Section 69, 69A,69B and 70B as well as imposing certain data retention obligations on the companies. In the long run this would provide a better cyber crime prevention mechanism than the deterrent effect of punishments.
Q2. What are some concerns that have not been addressed by the recent amendments in the act?
Ans. The main cause of lack of implementation of the regulations or faulty implementation of the law is the lack of awareness about law. The solution for better regulatory regime lies in strengthening the cyber law awareness amongst consumers. The law could have provided for incentivisation and obligations on creating a "Cyber Law Aware Cyber Society". In future also "Lack of Awareness" will continue to reduce the effectiveness of law.
Another deficiency which is apparent relates to data protection. Certain amended provisions do address data protection but the treatment could have been more comprehensive looking at existing EU Directives on Data Protection. This would however be corrected with the 'Data Protection & Privacy' law which the government is currently contemplating on.
Q3. What are some of the improvements that the amended act has brought about? Is there anything to thank for in the 2008 legislation?
Ans. Sections 43A, 72A and 67C are specific provisions that strengthen the Data Protection regime in India. This is a highly commendable aspect of the legislation.
Strengthening the organization of CERT-IN and enabling it to be a powerful regulator is another significant aspect.
One of the less recognized but more important change is in the revised structure of the Cyber Appellate Tribunal which has increased the effectiveness of the supporting judicial system.
Increase in the amount of compensation that can be claimed through adjudication from Rs 1 crore to Rs 5 crore is also another positive feature.
Introduction of the "Electronic Signature" has introduced new technical possibilities.
The amendments are an attempt to make the Act as technologically neutral as possible, which is a welcome step.
Also, there are new penal provisions addressing spam messages, trading in access codes and passwords, phishing attacks, identity thefts, unauthorized use of mobile phone cameras among others which have widened its scope.
The amended Act envisages appointment of experts for examining electronic evidence and delegates investigation to Inspectors.
All these are welcome improvements upon the earlier Act. Overall several good things have happened because of the amendments.
Q4. How closely should the IT and legal department work in order to build synergies? How can the IT- legal confluence help combat the scourge of cyber crime?
Ans. If the objective of law is to prevent occurrence of a crime, it has to address not only post offence punishment but also encourage proactive defense systems. Imposing legal obligations on information security practices is a step in this direction. This requires the IT and legal systems to work in close coordination.
Even at the post offence scenario, collection and presentation of evidence is an area where the IT and legal system should work in close coordination.
The amendments have attempted to bring such a synergy through the prescription of "Reasonable Securities" under Section 43A and due diligence under Sections 79 and 85.
To tackle cyber crimes, the need for the IT and legal departments to come together cannot be stressed enough. For any charge to be framed, evidence is important. In case of cyber crimes, the IT department becomes responsible to collect such evidence. Logically no other department would have such technical proficiency.
The legal department will, thus, need the help of the IT deparment to legally assess a particular incident and take appropriate action.
Q5. The rate of reporting, prosecution and conviction in cases of cyber crime is abysmally low in India. In such a scenarion how much trust do you repose in the investigation mechanism of our law enforcement agencies?
Ans. If victims do not understand the remedies available under law and seek remedies, we cannot blame the investigating officers that they have not prosecuted the offenders.
Everybody in the field including the Police, legal, judicial as well as the Information security community is in the learning phase and improvements can be expected over a period of time.
The enormous awareness on "Due Diligence" created by the recent verdict of the Adjudicator of Tamil Nadu against ICICI Bank in a Phishing Case which has resulted in a spurt of reporting of Phishing losses is an example of how better awareness leads to better implementation of laws.
As long as our criminal law functions upon the principle, ''let a thousand criminals go free but do not allow even one innocent man to go to jail", the rate of conviction will remain low.
Also, in many incidents the scene of crime due to ignorance would aleady have been disturbed before law enforcement agencies reach the scene.
This is especially true for corporate organizations, where they will typically try to retrieve and collect evidence before the law enforcement agencies enter the scene.
In many occasions, if the person collecting the evidence is not properly trained, such evidence is either lost or becomes inadmissible in a court. In such cases, conviction will naturally be difficult.
Capacity building to tackle such kind of criminal activity in a populous country such as ours will take time. We need to bear with them. With time things are sure to improve.
A. It would not be correct to say that the IT Act was like a toothless tiger before the amendments. It was quite comprehensive even before the amendments. Every legislation has to evolve with time. The evolution process is faster in case of technology related legislations as technological advancements tend to be rapid.
The amendments have rationalized some sections and expanded the scope of the act. For example earlier Section 66 was a section which could be invoked against any crime that "Diminished the value of information residing inside a computer resource". This section has been clarified now with 10 subsections through an integration with Section 43. Sec 66A and 66F are new provisions that add new crimes to the act.
The only point of discussion regarding the dilution or otherwise is that most of the offences are now considered "Bailable". This however may be considered as an attempt to prevent misuse of the act against innocent persons rather than being treated as an attempt to make it easy for offenders to get bail.
Certain provisions in the amended Act will certainly make the fight easier. Allowing an Inspector to investigate crimes under the IT Act instead of a Deputy Superintendent of Police is one of those. In that sense, the amended Act is an improvement upon the original Act.
The biggest change however is that ITA 2008 attempts to create a "Security Culture" in the society with the creation of a "Security Management Infrastructure" by prescribing "Reasonable Security Practices" and expanding the concept of "Due Diligence" applicable to companies and Intermediaries. By assuming certain powers under Section 69, 69A,69B and 70B as well as imposing certain data retention obligations on the companies. In the long run this would provide a better cyber crime prevention mechanism than the deterrent effect of punishments.
Q2. What are some concerns that have not been addressed by the recent amendments in the act?
Ans. The main cause of lack of implementation of the regulations or faulty implementation of the law is the lack of awareness about law. The solution for better regulatory regime lies in strengthening the cyber law awareness amongst consumers. The law could have provided for incentivisation and obligations on creating a "Cyber Law Aware Cyber Society". In future also "Lack of Awareness" will continue to reduce the effectiveness of law.
Another deficiency which is apparent relates to data protection. Certain amended provisions do address data protection but the treatment could have been more comprehensive looking at existing EU Directives on Data Protection. This would however be corrected with the 'Data Protection & Privacy' law which the government is currently contemplating on.
Q3. What are some of the improvements that the amended act has brought about? Is there anything to thank for in the 2008 legislation?
Ans. Sections 43A, 72A and 67C are specific provisions that strengthen the Data Protection regime in India. This is a highly commendable aspect of the legislation.
Strengthening the organization of CERT-IN and enabling it to be a powerful regulator is another significant aspect.
One of the less recognized but more important change is in the revised structure of the Cyber Appellate Tribunal which has increased the effectiveness of the supporting judicial system.
Increase in the amount of compensation that can be claimed through adjudication from Rs 1 crore to Rs 5 crore is also another positive feature.
Introduction of the "Electronic Signature" has introduced new technical possibilities.
The amendments are an attempt to make the Act as technologically neutral as possible, which is a welcome step.
Also, there are new penal provisions addressing spam messages, trading in access codes and passwords, phishing attacks, identity thefts, unauthorized use of mobile phone cameras among others which have widened its scope.
The amended Act envisages appointment of experts for examining electronic evidence and delegates investigation to Inspectors.
All these are welcome improvements upon the earlier Act. Overall several good things have happened because of the amendments.
Q4. How closely should the IT and legal department work in order to build synergies? How can the IT- legal confluence help combat the scourge of cyber crime?
Ans. If the objective of law is to prevent occurrence of a crime, it has to address not only post offence punishment but also encourage proactive defense systems. Imposing legal obligations on information security practices is a step in this direction. This requires the IT and legal systems to work in close coordination.
Even at the post offence scenario, collection and presentation of evidence is an area where the IT and legal system should work in close coordination.
The amendments have attempted to bring such a synergy through the prescription of "Reasonable Securities" under Section 43A and due diligence under Sections 79 and 85.
To tackle cyber crimes, the need for the IT and legal departments to come together cannot be stressed enough. For any charge to be framed, evidence is important. In case of cyber crimes, the IT department becomes responsible to collect such evidence. Logically no other department would have such technical proficiency.
The legal department will, thus, need the help of the IT deparment to legally assess a particular incident and take appropriate action.
Q5. The rate of reporting, prosecution and conviction in cases of cyber crime is abysmally low in India. In such a scenarion how much trust do you repose in the investigation mechanism of our law enforcement agencies?
Ans. If victims do not understand the remedies available under law and seek remedies, we cannot blame the investigating officers that they have not prosecuted the offenders.
Everybody in the field including the Police, legal, judicial as well as the Information security community is in the learning phase and improvements can be expected over a period of time.
The enormous awareness on "Due Diligence" created by the recent verdict of the Adjudicator of Tamil Nadu against ICICI Bank in a Phishing Case which has resulted in a spurt of reporting of Phishing losses is an example of how better awareness leads to better implementation of laws.
As long as our criminal law functions upon the principle, ''let a thousand criminals go free but do not allow even one innocent man to go to jail", the rate of conviction will remain low.
Also, in many incidents the scene of crime due to ignorance would aleady have been disturbed before law enforcement agencies reach the scene.
This is especially true for corporate organizations, where they will typically try to retrieve and collect evidence before the law enforcement agencies enter the scene.
In many occasions, if the person collecting the evidence is not properly trained, such evidence is either lost or becomes inadmissible in a court. In such cases, conviction will naturally be difficult.
Capacity building to tackle such kind of criminal activity in a populous country such as ours will take time. We need to bear with them. With time things are sure to improve.
1 comment:
Deepak: On the SANS Institute's forensics blog, I have published new methods for preserving and authenticating evidence in a cyber investigation. http://goo.gl/ramnu What is your opinion? --Ben
Post a Comment