Tuesday, July 12, 2011

Amendments to Information Technology Act - Is Legal System Ready to Answer Information Technology

Without doubts, law lags behind technology. Nevertheless law being a tool of social engineering, could in no way shrug off from the newer issues generated by technology growth. Legal system usually accomplishes the said duty by adapting the existing principles to match the technological challenges. Even though this management of affairs by adapting existing provisions are possible, on later stage specific enactment are created for addressing issues of technological origin. Thus the use of existing provisions in the nascent stage of technology is a breathing time enjoyed by the law makers. In other words it is the time for law framers for home working on newer law. With respect to information technology, India went for the first statute vides the Information Technology Act, 2000 (ITA 2000). In bringing out a comprehensive law, even though India was lagging by four to six years with the pioneers, compared to majority of world countries India was well in advance. Even though not excusable, this can be cited as a reason for the latches in ITA 2000. When amendments to ITA 2000 were mooted many in the subject were hopefully following the same. The Information Technology (Amendment) Act, 2008 (ITAA 2008) is to be scrutinized keeping all these facts and concerns.

The major contribution of ITAA 2008 is that, it has done away with the exclusivity given to digital signature as a means of authentication in electronic form. Henceforth, irrespective of the technique any electronic mode of authentication is signature in electronic form. However what all technique can be considered as electronic signature is to be decided by the government. Earlier in sanctifying digital signature, ITA 2000 was canvassing for a specific technology whereas with respect to electronic signature that is not the position because there is complete freedom as far as choice of technique is concerned. Nevertheless digital signature is continues to be acceptable to, thus the present position can be continued without much disturbances at the same time newer techniques can be incorporated as signatures.

Almost any kind of communication device is now within the purview of the enactment. Further the concept of intermediary has been expanded; earlier the same was limited to some specific category. But on the other hand the protection given to internet service providers has been extended to intermediaries also. It is to be noted that, the ‘bazee.com’ issue and the sentiments of the industry stands balanced by this double pronged change. With respect to formation of contract through online medium, a new provision has been devised in an attempt to answer the possible issues. By existing principles contract formation requires meeting of minds of two persons. Vide ITAA 2008 no contract will be deemed to be unenforceable merely because it was done through electronic means. It is to be noted that, even though such a protection is made whether computer can make contract is still an open ended question.

The scope of tortuous liabilities and remedies has been widened to a great extend. Further a liability has been cast on entities handling personal information. This change is to read in the light of some credit card frauds in which personal of BPO entities had used information of client. The limit of compensation or damages that could be awarded by the adjudicating officer has been increased from one crore to five crores. Further competent court have been vested with jurisdiction for any claim over and above five crores. Thus one need to conclude that the parallel mechanism that was envisaged in ITAA 2000 is now limited to claims up to rupees five crores. This change is bit confusing. Usually specialized mechanism having expertise in an area is created to deal with technical issues upon which such mechanism is having expertise. By bringing in conventional courts into the picture that logic is getting negated. Either the parallel mechanism ought to have been avoided or the parallel mechanism should be taken into confidence completely. The presence of appellate remedies is definitely a supporting argument for continuing solely with a parallel mechanism. The series of cosmetic changes has been made to provisions dealing with appellate tribunal is another highlight of ITAA 2008.

Without any hesitation one can say that, the bulk of definition of offences is the biggest impact generated. Further all the torturous acts will also invite penal liability if mental element is present. Thus the widened scope of use of the enactment in tortuous acts is also made liable under penal law. Quite unexpected, ITAA 2008 has attempted to define all the technological misuses. Thus dissemination of offensive information, imaging of private parts of persons, terrorism using information technology, impersonation, personating, use of stolen information technology items etcetera finds place. It is to be noted that while defining tortuous acts as well as offences, ITAA 2000 and ITAA 2008 is making the mistake of stressing so much on techniques of misuse. Such a mode is in effect creating a vacuum with respect to newer technical methods of misuse. The better option is to define basing on principles so that any mode of laceration of the same will be liable irrespective of the technique employed. This will also change the need for frequent amendments. Many of the amendments in ITAA 2008 could have been avoided if this was in the mind of the framers while ITAA 2000 was enacted.

The issue of child pornography is also addressed by ITAA 2008. Further, abetting and attempt has also been made punishable. The condition that the investigating officer should be at least in the rank of deputy superintendent has been relaxed to that of inspector.

There was overriding effect to ITA 2000 over other laws, but vide ITA 2008 this overriding effect has been restricted as far as exercise of rights under copyright law and patent law. This change will definitely invite discussions in industrial fronts. The attempted point is not at all clear. A total lack of deliberations in the houses of parliament at the time of passing, one could even term this as dereliction of duty, is further complicating the reader’s agony in finding a meaning to this change. A high degree of lobbying is the only possible reason behind such an amendment. But in the enthusiasm rather than protecting some vested interest, the lobbyist and their fiddle players has invited more trouble. The confusing of protected system under ITA 2000 and protection under intellectual property rights was first was first mentioned one of High Court of Kerala’s decision (Feroz’s Case,‘Friends Jansevana Kendra’s Software Issue’). There can never be any possible conflict between issues in information technology and intellectual property rights because both are not at all connected directly. The point misquoted by the Court seems to have been perpetuated by the legislature and has actually resulting in making an admission that there can be a conflict between both. Without doubts this was the point attempted to be avoided by the lobbyist. One can definitely conclude that the attempted point has actually backfired.

The creation of Indian Computer Emergency Response Team, a federal agency, which can contribute much to avoid and warn about threats of information technology kind, is a new feature. Creation of examiner of electronic evidence for rendering of expert evidence is another contribution made by ITAA 2008. Further some amendments have been made to penal code and law of evidence by ITAA 2008.

Amendment to ITA 2000 was definitely required. Whether ITAA 2008 has succeeded in satisfying the reasons behind the need for an amendment to ITA 2000 is questionable. One should keep in mind the fact that ITA 2000 was basically a statute for facilitating e-commerce on the footstep of United Nations’ Agency’s (UNCITRAL) model law. To incorporate all legal issues with respect to information technology into such a frame work was unexpected. If the aim is to have a complete code the reliance on UNCITRAL model law is to be avoided. The error of absolute reliance on technological definitions without properly identifying the legal attributes and underlying principles is perpetuated in ITAA 2008. The inclusion of electronic signature as a means of authentication can be cited as the most crucial positive contribution of ITA 2008. Further there are some minor changes which have tried to correct the mistakes of ITA 2000. In a nutshell one can conclude that there will be further changes to the information technology law since many errors of ITA 2000 has not been answered, further some fresh errors has been contributed by ITA 2008.

Tuesday, June 28, 2011

About Information, Information Technology, Cryptography and Law

I. Information and Information Technology:

From time immemorial the value of information was identified. Creation, storing, transmission and retrieval of information was an important facet of system and various modes of accomplishment of the said functions were also present in the system. No revolutionary aspects were created that posed a threat to the thereto-existing modes of control of information. However the latter half of the last century brought into existence information technology that brought in a substantial amend into this position. With the aid of this technology information of all forms was digitalized, and all the operation on any kind of information could be accomplished in that form. This became a revolutionary change and started to pose as a threat to the hitherto existing modes of control of information. The growth of information technology can be seen as unparalleled. Actually the vertical and horizontal expansions of information technology have created a scenario whereby a good portion of the working of the society is exclusively residing in communication channel. A scrutiny of societal functioning will show that, basically there exists only movement of man and material, and transmission of information. The latter part is being taken over completely by information technology. To condense the multilateral impact of this branch of technology is nothing but tremendous in infiltration, advancement and spread.

As mentioned above, transmission of information is an important facet of societal system. Newspapers, radio, television, office functioning, governance, teaching, telephone, speech etcetera all thrives on this aspect. Information technology is directly dealing about information irrespective of its mode of perception. Due to this factor information technology can integrate with all the above-mentioned areas that are dealing information. A conceptual examination from a different angle can provide another important aspect. All systems created or employed by man was either processing matter or energy. Information technology has created yet another system which is processing information, hitherto a task distinctive to man. This uniqueness and the pervasive nature of the technology is not leaving any field untouched and thus unlike other technologies this advancement is making its presence felt in all fields. In addition the property of convergence makes doubly sure that nothing is left out. Further Internet is a freeway for information. In short, all these distinctiveness’ of information technology has made sure that all activities of the mankind are having or are aided by information technology.

The scope of information and its corresponding value has increased by leaps and bounds owing to the wholesome effect of information technology. Many times the value of information is the efficiency of the owner in keeping it to himself. Unlike other tangible property, information can be multiplied within no time and thus diminishing or on many times nullifying the value of the original one. In this context the concept of information security gains significance. The concept as literally deducible from the terminology is nothing but securing of information. The relevance of securing of information is at the highest realm when it comes to that in Internet owing to its inherent freeway nature. The predators of information are looking for information, and it is the duty of the information owners to make the information secure. Information in the communication channel or in Internet is residing in all place or no place. Unlike other tangible property a casual sightseer is not having any notice of the demarcation of another’s property which is in the form of information in communication channel. Thus information security in its minimal requirement should at least demarcate ones property from another’s. It is doubtful that whether such a demarcation is any sort of securing process. Fencing ones property is a normal recourse in physical world and without doubts it is a sort of demarcation. Similarly drawing a line or putting a signboard is also commonly perused modes of identification of properties. If these processes can be termed as securing there need no be any doubt on this point.

This minimum requirement demarcating is the simplest form of securing of information. On the other end highly complex methods can also be employed for securing information. When almost all of the world society’s activities are being carried out by using the communication channel the need for protecting this communication channel is the aim of information security. There is need for protecting the information that is in a channel and destined to a receiver, as well as information that are residing in a system or network or even in a stand-alone system. Whether it is a simple demarcation or securing of the most complex kind, the tool for that purpose is cryptographic methods1.

II. Cryptography:

Cryptography is the art and/or science of covert inscription2. This tactic or practice was known to human kind even from immemorial time or rather from the time of identification of value of information. The underlining factor for the use of cryptography can be the inherent quest of human minds for maintaining secret.

Cryptography in its simplest form can be a shift of alphabets. For example, ‘CAT’ can be written as ‘ECV’, where E is issued instead of C, C is used instead of A and V in place of T. Here the technique of shifting of alphabets can be cited as the algorithm and the number of shifting of position as the key3. Since the shifting is of changing two positions, the key is two. A key can also be some other number, for example three. Then ‘CAT’ will be written as ‘FDW’. So the sender or creator of the message will be sending the text ‘FDW’ instead of ‘CAT’ when he is using the shift of positions as three. The receiver will reduce the shift of alphabets by the same key and will read the message as ‘CAT’. Here the process of converting the message into its coded form is known as encryption. The process of getting back the message is called decryption. The original message is known as plain text whereas the code message is known as cipher text4. Since same key is used for encryption as well as decryption this type of cryptography is referred as single key cryptography5.

Shifting of alphabet’s position is one of the easiest and earliest methods of encryption. There are so many other complicated techniques that are used for securing information in cryptography. Here in the given example the key is also simple in the sense that a number has been directly used for encrypting the messages. The key can also be made complicated by prescribing conditions. A condition can be laid down whereby the key is dynamic throughout the message. Suppose the condition prescribed is shifting of one position for the first alphabet and then to linearly increase it, then for ‘C’, the key will be one, for ‘A’ the key will be two, and for ‘T’ it will be three. Thus ‘CAT’ will be written as ‘DCW’. Even though the technique is remaining as shifting of position of alphabets, key is coming with certain conditions. The security of cryptographic technique is directly proportional to the complicity of the method as well as key. From early stages of history of cryptography itself, the thrust was to improve the method as well as the keys. More the chances of deciphering the key and/or the method the less were the security element of cryptographic technique.

The practice of using same key for encrypting as well as decrypting had many drawbacks. The receiver is always getting the chance of imposing as the sender because the receiver is getting the capability of the sender in as much as the key as well as the method used for encryption and decryption are one and the same. Suppose X is the sender of information and Y the receiver; and it is previously agreed that, so and so symmetric cryptographic method with a specific key will be used for encrypting the message. On receiving the message Y will be using the same key or decrypting the message. Suppose in their group there is another person Z who is also using the same key as well as method for writing messages between them. Now, Y will be able to make changes to the message received from X and he can very well send the same to Z using the same key as well as the method. Suppose Y is pretending as X in the message, there is no mechanism for Z for knowing who has sent it.

In addition to the simple method of alphabets there are umpteen methods of simple key cryptographic techniques. Since identical key is used for encryption as well as decryption these type of secret writing is also known as symmetric key cryptographic6. Using of picture and symbols, complex mathematically equation etcetera are also examples were asymmetric crypto system. Whatever be the method employed the basic above mentioned defect exists for symmetric key cryptography.

In this scenario there emerged the concept of asymmetric cryptography7. The same is also known as private key public key cryptography. Here for encryption a particular key is used whereas for decryption another key is used. This key pair is related in such a complex form, thus the knowledge of one is not at all making anyone to know the other key8. Each person will be having his own unique key pair, which is private key and public key. The private key will be known only to the owner whereas the public key will be made available to everyone. Taking the cited example, X can encrypt a message using his private key and send the ciphered message to Y. Y on receipt of the message can decrypt it using public key of X. Unlike the scenario detailed above with respect to symmetric key cryptography here Y cannot pretend himself as X and resend the message to Z. Because the private key of X is exclusively with him and only X can create or encrypt messages that can be decrypted using his public key. Thus one can observe that unlike symmetric key cryptography asymmetric cryptography is having certain definite advantages. There are further enhanced uses of this method of cryptography. If X wants to send message to Y and X wants to make sure that only Y reads it and also Y is to be sure of the sender of the message. Here X will encrypt the message using his public key and will further encrypt this already encrypted message using Y’s public key. Now even if anyone is getting the message only Y can decrypt it since Y’s private key is required for decrypting. After the decryption using Y’s private key what he is getting is an encrypted message done with X’s private key. Now Y will have to further decrypt the message using X’s public key. A successful completion of this will ensure that X is the actual sender.

Thus theoretically itself one can see the potential of cryptography. Used in an electronic environment cryptographic techniques prospects are just colossal. One can also say that in information technology use cryptographic technique is unavoidable. Thus this art/science of cryptography that was present from a very long time frame suddenly came out into lime light as a great tool in electronic form of communication.

III. Cryptography in Information Technology

When one is pasting the envelope that is carrying the letter written by him, he is securing the information carried by that paper even though the envelope may be in a public channel. In electronic environment such a task need to be mimicked; so as to ensure the paper is in a sealed envelope and as mentioned above. Technocrats identified cryptography as a tool to achieve this end. Due to the wide scale proliferation of applied information technology into the masses in a short span of time computing devices were becoming ubiquitous in the society. Thus information in electronic form became a need of general public also. This meant that there was need for public also to rely on cryptographic techniques for securing their information. Cryptography used to be pet tool of espionage9 and the same was usually associated with State, Government, Sovereign etcetera. Contrarily it was also used for rebellious activities. Thus cryptography which was hitherto a requirement of state, suddenly found itself to be a necessity for the pubic at large that are relying on electronic systems. Thus there was a sudden change in the usage pattern of cryptographic techniques. As mentioned earlier, the strength of the process of securing information using cryptographic technique is a direct function of complexity of the mathematical formula or equation employed. Now to what extends this complexity or making tough the cracking process of ciphered information can go is a perplexing issue. There are certain legal issues intrinsically connected with this.

IV. Legal Issues:

The subjects/citizens wanted cryptography for secret communication, whereas State was hesitant in giving such an absolute right. State is always interested in knowing what is transpiring between the subjects or subject and an alien, mainly citing larger interest of the state. When the subjects without any state intervention or control deploy cryptography techniques, the freedom of the subject even though is increased the State is contained for extracting information transpiring in the society. It is just like a written matter covered using an unbreakable envelop. The State is handicapped by this factor. Even if State knows that the information contained is against the interest of State, State can do nothing. Similarly any doubtful information is also outside the reach of State. Thus for the larger interest of State, as a result of information technology all of a sudden evolved the need for controlling cryptographic techniques10.

Even in highly democratic political environment it is a ground reality that the State is using its machinery for eavesdropping into the communication of its subjects. Telephone tapping, interception of postal materials, employing of spies are certain commonly employed State tactics of encroaching into citizens’ private life; many times in the pretext of State interests. When cryptographic methods are used for private communication the State will be in an insecure position. The more the complex the cryptographic methods used more will be the difficulty of State for getting such information. Thus the issue will boil down to privacy of the citizen vis-à-vis State security. This issue seems to have been identified the United States from an earlier time itself.

Cryptographic tools where considered as dangerous weapon in US11 and there were control on its use and transactions. However, there was an outcry from the liberal people for the use of encryption as a tool for protecting the right to privacy in communication. The State was worried about the leakage of State secrets into the hands of potential State enemies. So there was as usual a fight between individual freedom and State security. In this situation the concept of clipper chip originated. Clipper chip idea was a compromise put forward by the federal government for protecting both the need for use of encryption at the same time upholding State security. Clipper chip was a hardware built into communication devices which encrypts the message at its inception and decrypts at its reception. Therefore, in the communication channel the information will be in an encrypted form. So that the citizen’s right to privacy in communication was recognised. Nevertheless, there was a negative side to this set-up. The State will be having access to all these encryption algorithms embedded in the clipper chips. So that State authorities will be in a position to listen to any information that is passed between people. This suggestion from the Federal Government also raised strong criticism from right conscious people. In this context the idea of Trusted Third Party12 originated. People are free to communicate using encryption but a middleman will be there who will be having a copy of the clipper chip and when circumstances require he will be disclosing it to the State. So that the privacy of communication of individuals was guaranteed at the same time State interest was also given due importance.

The issue with respect to clipper chip was actually limited to that of telecommunication. However the scope of use of cryptography in the present information technology is on a higher level and the chances of legal issues are also likewise. How far the system is ready enough to tackle the emerging issues? The author is of the opinion that this is the issue that is going to perplex the legal thinkers in future. There seem a certain latches in the identification of real legal issues and this is reflected in the prescription of remedies also.

The role of certifying authorities in authentication process using digital signature13 is one such example. Many countries has accepted digital signature as a mode of authentication and has also recognized the role of certifying authority. One, who is examining the role of TTP in the light of the compromise formula as a result of clipper chip, can observe that unlike the common belief TTP is not the trusted third party of the contracting persons but it is enjoying the trust of the State. Role played by the certifying authority is actually an extension of the role of TTP. Thus, it can be seen that these agencies evolved not because they had the faith of the parties that were dealing with them, but only because they enjoyed the trust of State. One should keep in mind the fact that in United States TTPs evolved due to the reason that there was control on cryptography. Whereas many world countries, that has accepted digital signature as a means of authentication, lacks such a history. Thus speaking from principals certifying authority is not a necessity, as the so-called generation of trust is not the aim of Certifying Authority but it aims at security of State. As mentioned earlier the creation of TTPs was a result of State interest in controlling of use of cryptography. Even in the presence of this known fact legislatures throughout the globe are confusing things while they legislate on the area. This confusion and contradiction is actually an indication of the emerging issues.

The maximum employing of cryptography is going to be in securing of information in Internet. To what extent cryptographic techniques can be used, how it should be used, who all can use it etcetera is going to be the core issue of the field. Existence of sovereign, territoriality, concept of property, relationships of real nature and paper-based transactions are certain basics upon which any legal system has placed great reliance. Many issues in connection with information technology are inherently lacking or are defying these basics. Even if one is identifying the above concepts the extracting of the required legal attributes is difficult to achieve. In real world, a societal system is contained or controlled vide four means namely by law, by social norms, by market conditions and by the nature of the system. These controlling factors also are not effective as far as information technology issues are concerned. The need of law for laying down the mode and modality of a system is always there and information technology is also not an exception. A perusal of the historical origin of legal control through strict prescription of compulsory mandates by the crown will reveal that on many circumstances those were nothing more than State sanctification of prevalent practices of the society. Thus, laws controlling varied fields and subjects were nothing but continuation of practices. It is a fact that law lags behind technology, law encompasses the emerging challenges within its control and streamlines its growth in a manner acceptable to all. However as far as this branch of technological advancement is concerned it is strongly felt that due to its sudden growth law is not getting evolved but is being generated. When the system is trying to rely on earlier basics, as in the case of certifying authorities, it is creating contradictions. Generally speaking control creates order and this resultant orderly pattern only can assure minimal friction for a given system. This statement is true for any closed or open system. The smooth running of society at large is also achieved by this element of control. Without doubts with respect to a political society this control is amiably taken care by legal system. The dynamism of the society is having its impact on legal norms also and any change in behaviour of the society means some repercussions on legal system. This dynamism will be having many causes and technology is one among them.

Speaking generally as well as jurisprudentially the concept of property is of immeasurable significance and social, economic, legal and political issues with respect to the same had laid philosophical discussions. Thesis and antithesis as well as synthesis are plentiful surrounding this concept in all of the above-mentioned branches of thoughts. The extents of allowing property holding, how far property is extension of personality, what is the nature of property rights etcetera are debatable issues at any point of time. Nevertheless the need of protecting one’s property was recognized and accepted by almost all political societies. Jurisprudential elucidation of this concept has been the pedestal of diverse branches of law in relevant treatment of various legal issues. Except in some legal issues, the reference of property is always to tangible real property. However in the communication channel the whole scenario changes. In real world, property is having its own localization or demarcation. Thus even in the absence of a specific notice each property is physically distinguishable. However in communication channel due to the absence of ‘place’ all property are residing in ‘same place’ or ‘no place’. Else it can be termed that the actual location of residing of any ‘information’ is irrelevant. Or otherwise the physical demarcation existing in real world property is absent in communication channel.

While dwelling on the subject for giving an answer to the above-mentioned issue another legal concept takes significance. Trespass is a very wide concept when discussed in context independent manner. Whatever it may be, one thing is for sure trespass can be made on any property, legal consequences and the defences being secondary. In a networked environment, all property is residing in ‘same place’ or ‘no place’. So unlike real world the respective owner should identify each property, because this identification itself is creating different property due to the place independent existence of property. When examined minutely one can see that trespass is the first and foremost infringement. Thus protection of property can be achieved by avoiding trespass. This can be minimally by a mere notice or warning of the ownership and can be strengthened by using cryptographic techniques. Fatal methods like electrified fences had raised legal issues in protection of real world property. On the other hand unless there is sufficient warning or notice different property will not be identifiable. Sometimes State will be interested in getting information of its subjects for State’s interest. Thus how, why and when of usage of cryptographic tools is a legal concern. Sometimes State will be interested in getting information of its subjects for State’s interest. Thus how, why and when of usage of cryptographic tools is a legal concern.

Hacking, theft, fraud, privacy, piracy, misrepresentation, defamation, denial of service etcetera is the broad heads of legal issues with respect to information technology. All these legal issues have only a singular concept of concern; that is ‘information’. Many of the enactments are defining information for the purpose of legally dealing these issues. Similarly courts are also considering issues of these types so as to render a decision. However viewing from the conceptual angle one can see contradictions. Take for example the two specific issues of hacking and theft; for the former an entry into some information is sufficient, whereas for the latter taking away of some information is required. One can see that both the issues are targeting information. While creating an enactment or rendering a decision on these issue, the legislature or the court as the case may be, are treating information both as immovable property and movable property. For the former information is qualified with the attributes of immovable property whereas for the latter that of movable property. Whereas in some instances ‘information’ is viewed as a unique concept. Thus there are evident inconsistencies in different categories of issues. Further a fine perusal of issues of singular category also precipitates certain contradictions. This type of problems is more visible while courts examine the extent of infringement like how and when the rights of a person are infringed. To sum up legislated law as well as judge made law are showing a pattern that is not consistent while dealing about issues in information technology.

Authors from some quarters have mooted the idea that concept of property and trespass has to be infused or to some extent ameliorated for forming a jurisprudential basis for a proper treatment of legal issues. From the discussion it can be identified that the law is in for trouble. One cannot identify what can be infringement; one cannot identify the real nature of the concept of information. Cryptography remains to be the sole mode of bringing in some sort of control and/or protection of information in communication channel. However cryptography is a technological advancement where law has never made an attempt to control hitherto14. So one can guess the problems that can ponder the legal system, as the paper world would be shifted to paper less world.

B. Sc., LL.M., Advocate, Kochi. youdei@gmail.com

1 Op sit. Using this classical definition of cryptography, any sort of alter in information so as to make the perception more difficult can be qualified as use of cryptographic technique.

2 For explanations from basics see RSA Laboratories' Frequently Asked Questions About Today's Cryptography: Version 4.1, RSA Security Inc (2000). Available at , viewed on 26th of October 2006.

3 An algorithm is a set of rules that specify the order and kind of arithmetic operations that are used on specified set of data. These arithmetic operations could include such things as rounding rules, a logical decision or a specific formula. It is a computable set of finite steps to achieve a desired result. The word comes from the Persian author Abu Ja'far Mohammed ibn Mûsâ al-Khowârizmî who wrote a book with arithmetic rules dating from about 825 A.D. Key is the value that is used by the algorithm to encrypt and decrypt the data.

4 Supra n. 2.

5 Ibid.

6 The term symmetry is denoting that there is symmetry with respect to the key used for encryption as well as decryption; rather the keys employed are one and the same. Ibid.

7 As opposed to symmetric key cryptography the key for encryption and decryption are different hence the terminology asymmetric. Ibid.

8 There are numerous algorithms for asymmetric encryption. The RSA algorithm remains the most famous one. Ron Rivest, Adi Shamir and Len Adleman of Massachusetts Institute of Technology invented RSA algorithm in 1978. The name RSA has been coined by taking the first letter of the first names of Ron Rivest, Adi Shamir and Len Adleman. The RSA algorithm relies on the difficulty of factoring immensely large numbers. In the key generation phase, the RSA algorithm generates a very large number usually 1024 bits long. This generated number is not just any number, but it is the product of two very large 512 bits long prime numbers. The security of the RSA algorithm relies on the difficulty of factoring this number to give the two large primes. That means 21024, which is approximately 10228 times the number of atoms in the universe. As a very small-scale example, imagine trying to factor 1261. A desktop computer could solve this in a fraction of a second, giving 97 and 13, but when the number in question is much larger, even supercomputers working together could not do it before the end of the universe.

9 Chanakaya, is said to have used cryptographic techniques in his fight.

10 The issue of use of cryptographic techniques in Blackberry Phones and the attempt of the Central Government to contain it is an example even though an isolated one.

11 In US, the federal statute Arms Export Control Act, 22 U.S.C. § 2778 has defined: “…[C]ryptographic (including key management) systems, equipment, assemblies, modules, integrated circuits, components or software with the capability of maintaining secrecy or confidentiality of information…” as on par with dangerous weapons.

12 Known in short as TTP.

13 A type of electronic signature for authenticating electronic communication and accepted in India vides Information Technology Act, 2003. The amendment cleared by the houses of Parliament in the year 2008 has also brought in other techniques of authentication.

14 As mentioned earlier United States’ example is an exception to this.

“Cyber Law” – An Introduction for Non Law Professionals

Introduction

Cyber Law’ is the commonly used notation for information technology law. In its true sense it is a collection of different provisions of conventional categories of law when the same is addressing legal issues emanating from this branch of technological advancement. This nascent branch of law is gaining more and more importance owing to the widening usage of information technology and resultant increase of legal issues. Retrospection about the subject brings to front certain interesting particulars. In a fiction titled “Neuromancer” the author William Gibson had elaborated a scenario. The telephonic conversation between two persons was the factual premise. Here the two persons are meeting through their conversation. Where do they meet? Is it on first person’s place or the second one’s? The author was of the opinion that it was not both, but on an imaginary space and preferred to call this meeting place “cyber space” referring to a space that was never existing in real. This terminology on later stage was used for addressing the unreal space created by information network. Without hesitation the law that addressed this subject matter also came to be referred with the same.

As mentioned earlier information technology law is an assortment of provisions of conventional law subjects that is having certain connection with information technology. Law of contracts, criminal law, taxation laws, law of evidence, law of torts, constitutional law etcetera are the chief conventional law subjects which are forming part of it. Relevant provisions of all these branches are bundled together to be called as 'cyber law' when issues in information technology are addressed. Even though history has witnessed inspection, growth and out dating of technologies never there has been a branch of law for a specific technology. Law of admiralty is an exception, however a study of law of admiralty shows certain time-tested reasons for it existence. Many branches of technology were instrumental in creating specific legislation. However those legislations were always part of conventional law subjects and not vice versa. Similarly there might have been collection and study of homogenous legislation, but never it resulted in creation of a branch of law.

The Need for a Separate Branch of Law

It is worthwhile to have an examination with respect to the need for a specific branch to address this limb of technology. Literature have been widely published speaking for and against the need of a specific branch of law. Nevertheless inconsiderate to the reasons not favouring, the branch is progressing geometrically.

Conceptually observing one can find peculiarity in information technology. Systems created or employed by man was either processing matter or energy; a lathe is an example for former whereas a transformer is an example for latter. However computing machine is processing information, hitherto a task distinctive to man or even to some extent an animal. Thus there is exclusivity to a computing system.

An element of technical competence or rather computer literacy is required for dealing issues with respect to information technology. Thus in order to cater to such a technically literate group it was a better option to club the relevant portions of conventional laws into a collection rather than teaching the interested pupils different law subjects.

Corporate interest of powerful information technology industry for moulding “cyber law professionals” can also be cited as another compelling reason.

The matchless vertical and horizontal expansion of information technology furthered by its pervasive omnipresence leaves no fields untouched and thus unlike other technologies this technological advancement is making its presence felt in all fields. Thus there can be a high desirability for a separate dwelling into the legal issues of the branch.

Taken any branch of law, the same will be resting on strong jurisprudential basis and should be governed by general principles. The credibility of information technology law is questionable on this point. As mentioned earlier it is an assortment of portions of conventional law subjects and is thus lacking its own jurisprudential basis.

At this juncture reference to certain other facets carries importance. The usual classification of laws are: -

  • Public and Private - Laws that are mainly on the public domain belongs to the former and others to the latter.

  • Substantive and Procedural - Laws that define or lays down legal position and laws that details the procedure of legal recourse.

  • Civil and Criminal – A legal proceeding can be of civil or criminal nature.

However with respect to 'cyber law' the classification cited above is difficult to exist.

Another important thing is that, a legal system relies on certain concepts. The same can be enumerated thus: -

  • Existence of sovereign – One who creates law.

  • Territoriality – The geographical area in which a law is valid.

  • Concept of property – An abstract concept, it pre-supposes a ‘thing’ and an owner for such a ‘thing’.

  • Relationships of real nature – Law in every discussion is relying on relationships between two entities and all times it is real in nature.

  • Paper based transactions – Take any branch of law paper based transactions are always referred to.

As far as information technology is concerned the above listed concepts are inexistent on many circumstances. Even if one is identifying the above concepts the extracting of the required legal attributes is difficult to achieve.

Anyhow the continuous growth of the information technology law is not retarded by the arguments against it; the graph of growth is on an uphill.

Legal Issues Covered by 'Cyber Law'

Almost all branches of law are one way or other affected by the growth of information technology. Taken any branch there is presence of issues relating to or arising out of information technology. Nevertheless a pattern shown by law schools shows much importance in the topic is given to contractual issues, problems of tortuous nature, cyber crimes, evidential matters, jurisdictional questions, constitutional concerns and taxation issues. It is interesting to note that another branch of law that ought to have been part of 'cyber law' is still taught separately. This is intellectual property rights wherein relevant issues, with respect to software and to some extent hardware, is part of that particular branch and not part of 'cyber law'. This may be due to the reason that intellectual property rights issues were present from an earlier time. Whereas the inception of 'cyber law' as a separate branch dawned some time in the last decade of the last century. Thus intellectual property rights issues continued to be taken care by that relevant branch of law. All other legal issues associated with information technology are part of 'cyber law'. However in certain courses intellectual property rights are taught together with 'cyber law', nevertheless the general trend is the other way. Literature on the subject is also showing the same pattern.

In addition to the conventional law portions certain unique issues of information technology era are also taken care by this nascent branch. However when one is examining the true nature of the so-called unique issues of information technology, it can be observed that conceptually the real world counter part of the same was already present.

The Scope of the Subject

The growth of information technology is unparalleled in history. The property of convergence makes sure that the ubiquitous machine is leaving nothing. In short, all activities of the Humankind are having or are aided by information technology. As stated earlier 'cyber law' is an assortment of provisions of various branches that are having some element of issues of information technology. When all of the activities of human kind are having a touch of information technology, as the time goes on there would not be any human activity without a pinch of information technology. Thus all branches of law will have issues with respect to information technology. Conversely 'cyber law' will be part and parcel of all other branches. For example some authors are already holding the view that there will not be any crimes in future but only 'cyber' crimes. Similarly, nowadays there is reference about 'cyber' ethics referring to ethics to be maintained by workers of information technology. However in future when all are using information technology the general ethics itself will be 'cyber' ethics. Thus even the concept of ethics will be giving way to 'cyber' ethics.

Certain phenomena are omnipresent in everything and the societal system as a whole in all its activities presupposes its existence. Writing and reading; and the knowledge of it referred as literacy is part and parcel of all walks of human activity. As mentioned earlier all branches of law in one-way or other have accepted this as a reality or necessity. In future computer literacy will be as important as the general concept of literacy. Thus the intermediary or accessory nature of information processing device will be unavoidable and societal system in its entirety will be considering it as just like writing or reading and legal system will not be an exception.

Thus one can see that there is a very high priority requirement of accruing knowledge of legal issues of information technology. As the time goes on the issues in concern of 'cyber law' will be increasing by leaps and bounds. It may also lead to a situation whereby issues in all other branches of law getting accumulated in 'cyber law'. Contrarily the using of information technology in all spheres of life will result in a situation whereby there will not be any requirement of separate treatment of legal issues of information technology. In short one may say either 'cyber law' will engulf all other branches of law or 'cyber law' will crumble and dissolve into respective parent branches. Anyhow the importance of studying of legal issues of information technology is not to be belittled.

Major Legal Initiatives

Examining the initiatives of world countries for addressing legal issues of information technology seldom show a pattern. Even though multiple issues are present few, countries have attempted comprehensive legislation. However with respect to legal acceptance of electronic documents, electronic communication and electronic signature almost all the major countries have made legislations. Certain legislations have covered other legal issues together with this; however statistics reveals the same as very few.

Starting from the initiative of Utah State of United States of America in 1995 there was a chain of legislative as well as other initiatives in creating laws in this branch of technology. The Utah Code had four chapters namely Notaries Public Reform Act, Commissioners of Deeds, Utah Digital Signature Act and Uniform Electronic Transactions Act. The third and fourth chapters were the important ones as far as 'cyber law' was concerned. The legal validation of digital signature was covered by the former whereas the latter dealt with electronic communication. The Utah Digital Signature Act is holding a pivotal position and can be considered as the first true 'cyber law' legislation. However the too much stress on technology was later not much accepted by other initiatives.

Due to the encompassing nature and global reach of information technology it was nothing but a necessity that there should be a uniform nature of treatment among the world countries. UNCITRAL, became the torchbearer by adopting The Model Law on Electronic Commerce in 1996 (UNCITRAL is the short notation for United Nations Commission on International Trade Law. A United Nations functionary based in Vienna, Austria which develops model laws and standard documents meant to facilitate international commercial transactions among other activities. The Model Code was accepted by the United Nations General Assembly Resolution 51/162 of 16th December 1996). Vide the same the commission recommended the member nations to follow the model law while creating laws in the subject. Here also the discussion was centred on authentication and validation of electronic documents.

The laws passed by other countries like Germany - The Digital Signature Act, 1997; Singapore – The Electronic Transactions Act, 1998; Federal Government of United States of America - The Uniform Electronic Transactions Act, 1999; Finland - The Act on Electronic Service in the Administration, 2000; Philippines - The Electronic Commerce Act, 2000 etcetera are some other important legislations in this area. As can be understood from the titles itself many were concentrating on norms and conditions for legal validation of electronic transactions and mainly centred on signature. A technologically neutral and mature treatment of electronic signature is present in the Finnish law. With respect to issues like privacy, piracy, hacking, cracking, stalking etcetera almost all the initiatives follows general nature only differing in the punishments accept. The Electronic Commerce Act, 2000 of Philippines was a somewhat comprehensive covering other major issues and was highly precautious and severe with respect to 'cyber' crimes. This can be attributed to the great deal of damage done by the fatal “I Love You” virus that originated from Philippines.

A study about the inception and growth of 'cyber law' will show that before the coming into of large-scale legislations the law schools of developed nations especially United States had started teaching of subject. And when issues of this particular branch of technology came before Courts the general trend shown by the judiciary was to fall back on conventional legal provisions and to decide the issue presented before it. On the basis of these case discussions and those which were faced by corporate entities within itself, law schools were dwelling into the same.

Information Technology Act, 2000

Without doubts one of the most awaited, expected, celebrated, discussed, debated law passed by Central Government in the recent past is The Information Technology Act, 2000. It was the need of the time that a statutory enactment be made for putting in black and white the legal position with respect to this emerging area.

The Act acknowledges the driving nature of the UNCITRAL Model Law on Electronic Commerce. The introductory portion further mentions that the Act is an endeavour to give legal recognition for electronic transaction and to facilitate filing of electronic documents with the government. The Act also makes certain amendments to The Indian Penal Code, 1860, The Indian Evidence Act, 1872, The Bankers’ Books Evidence Act, 1891 and The Reserve Bank of India Act, 1934.

While glancing through the Act one can find that the same is a small piece of enactment for addressing this nascent field that is having huge ramifications. There are only 94 Sections arranged in thirteen Chapters and it is followed by 4 Schedules in which the amendments to the above mentioned four Acts are incorporated. Even though there are thirteen Chapters the more than half of the Act is entirely dedicated to digital signature and related issues. This can be argued as a normal outcome since the aim of the Act itself is to facilitate electronic transaction and authentication is a necessary end for electronic transaction.

Chapter I of the Act is the preliminary one and is also titled the same. The interesting provision of the portion is Clause (4) of the Section 1. The said provision excludes negotiable instruments (other than cheque), power of attorney, trust, will, contracts with respect to immovable properties and any class of documents or transactions that may be notified by the Central Government from the purview of the Act. One can raise doubt why such a class of documents has been excluded from the operation of the Act. The author holds the view that the delicacy of the State in readily embracing the technology is evident by this exclusion. However laws made by various other world counties also shows this trend. The common nature of the documents mentioned above is that all are highly critical in nature and the State is not willing to accept an electronic document instead of the time tested documents in its paper form. May be in future when electronic transaction becomes the order of the day one can expect the expulsion of these exclusions from the Act. The

Chapter II is titled as Digital Signature and is having two sections and vides the same it is recognizing the legal validity of digitally and electronically signed electronic documents. Then follows the Chapter III titled Electronic Governance and the same occupies Sections 4 to 10. The details with respect to acceptance of electronic documents at governmental level and such things are the core. Chapter IV is titled Attribution, Acknowledgement and Despatch of Electronic Records and the same contains 3 Sections. Secure Electronic Records and Secure Digital Signature is the title given to Chapter V. Both these chapters are loyal to their titles. Chapter VI bearing the heading Regulation of Certifying Authorities is one of the lengthiest Chapters of the Act running from Section 17 to Section 34. As the title mentions the same is detailing the role and mode of working of certifying authorities and is more of a procedural one mainly laying down the administrative norms. Chapter VII covering Sections 35 to 39 is named Digital Signature Certificate and is about form and format of the same. Chapter VIII with three sections and is given the heading Duties of the Subscriber.

With Chapter IX which it titled as Penalties and Adjudication, the provisions with respect to signature comes to an end. Section 43 of the same is an elaborate one discussing penalty for damage to computer system. Unauthorised access is the bottom line of the discussion and various incidence of the same is detailed. The enumeration of various points are precise and definite nevertheless one can consider this as a short coming also. The attempt to define the minute details will result in exclusion of certain categories of unauthorised access owing to its non-specification. The role of Adjudicating Officer who is to give the decision on issues arising under the Act is mentioned in this Chapter.

Chapter X is comparatively a big one and is covering the issue of with respect to the Appellate Tribunal and is titled the Cyber Appellate Tribunal. The setting up of the Appellate Tribunal for deciding issues under the Act is detailed here. An appeal from the decision of the Controller or Adjudicating Officer lies to the Tribunal.

Offences is the title given to Chapter XI. The major category of usual computer crimes are covered by referring to Section 43. Punishment can be fine and/or imprisonment and the maximum prescribed is upto rupees 10 lakhs and life imprisonment respectively. The Government can also declare a computer, computer system or computer network as a protected system and any unauthorized access or attempt to access is an offence that is punishable by an imprisonment which may go to ten years and/or a non specified fine. It is further provided that all the punishments under the Act is in addition to other legal remedies. That means penal actions under other laws can also be taken against perpetrator simultaneously.

Chapter XII is having only Section 79 and is titled Intermediaries Not To Be Liable in Certain Cases. The last Chapter that is XIII is titled Miscellaneous. As a name itself signifies an assorted items are dealt in the Chapter.