/dq/media/agency_attachments/UPxQAOdkwhCk8EYzqyvs.png)
Follow UsSome six years ago, late Pramod Mahajan, then Union IT and
telecom minister, had announced the enactment of the Information Technology (IT)
Act 2000 amidst lot of expectations and fanfare. The act was meant to herald the
new IT age in India, to unfetter the chains that bound the industry. For the
first time there was talk about criminal procedures against unscrupulous
techno-savvy criminals. No more could cyber stalkers commit crime and vanish.
The intent was indeed noble, to promote e-commerce and safeguard e-governance in
India.
Somehow, the act has not really lived up to its promise. There
has been only a single conviction so far and still not a single rupee awarded in
damages. Though there have been numerous cases filed, something is lacking on
the investigating front. All that changed after a few high-profile controversies
emerged over the functioning of the BPO industry. There was the sting operation
conducted by Channel 4 that had a few people caught on camera ready to sell
confidential data of UK citizens for money. Recently, an India based company,
Acme Telepower also announced that it was shifting its R&D processes
overseas over shoddy investigation conducted by Haryana police on a data-theft
done by an ex-employee./dq/media/post_attachments/172b09f72f0d829d0bc60f79de75274e916db461e9be6f7897714a43958738d8.jpg)
The Impact: The Indian government suddenly came out of its
slumber and the cabinet committee approved a few amendments aimed "to
strengthen the legislation pertaining to data protection and privacy".
Certain sections of the act were changed, a few retained and
some annulled all together. It was an exercise aimed to allay the fears of the
industry and the international community. To an extent it seemed to have worked,
but on a closer analysis, there seems to be something sorely amiss.
Good or Bad?
Cyber law expert Na Vijayashankar (popularly known as Naavi) is
convinced that the proposed amendments are weakening the foundation of the IT
Act rather than strengthening it. "The draft of the proposed amendments is
not yet made public, but from whatever information that could be gathered from
the press statement, it seems that these amendments are not solving any issues
related to data theft or data privacy. In fact, in the coming days they could
lead to creation of newer hassles," he says.
To substantiate his claim, Naavi talks about a few instances of
the act that would undergo changes. He talks about Section 66 in the original IT
Act that states: If information residing inside a computer had been injuriously
affected by any "means", and the person causing the injury was
"Either Aware" or "Had the Intention" to cause damage, the
section could have been invoked.
|
|
|
"The proposed |
/dq/media/post_attachments/bff05e810326ad066625d1b0aba123ed01c415e6e4aa7ae4e29f02f0a60da6ee.jpg)
"Section 66 of the IT Act has been diluted with the
addition of the prerequisites dishonest, fraudulently and intentionally. For
instance, now the investigating agency not only has to prove that accused had
broken into a system or committed a data-theft, but also that he or she did it
either dishonestly or fraudulently or without permission. This could be a tough
task to prove in the court of law," he says.
Hence, according to him, in the instance of another sting
operation conducted by the UK newspaper, the Sun in 2005: If these new sections
were to be amended, the police would have to prove that Karan Bahri (prime
accused) not only sold stolen data but also did it with malafide intentions.
Naavi is also vexed at the annulment of Section 80 (that gave
police the power to search and arrest in a public place, without a warrant).
"This will make the enforcement agency, ie the police, completely
powerless. The police will not have any power to search and arrest without
warrant, which had earlier been limited to the rank of Dy SPs (superintendent of
police), and in public places without specific direction from the magistrate.
This will sorely limit the investigative process," he explains. Though not
many would agree with Naavi over the arbitrary powers wielded by the police.
Most of the times the police compound the laptops or computers
used to conduct any such crime and use it as evidence in the proceedings. But
now there will be a delay, as the police will need a warrant issued by the
magistrate before they conduct any investigation. This delay could provide
sufficient time for perpetrators to get rid of the evidence.
Naavi is not alone in his negative assessment. Renowned cyber
law expert and Supreme Court advocate, Pawan Duggal, seems to be more or less in
agreement. "The proposed amendments seem to be a mere cosmetic job. They do
not touch upon the fundamental or the core issues. When the law was enacted, the
times were different, today the needs and requirements are different. Data
theft, as an issue, needs to be dealt with separately. Though there are certain
changes in the mechanism and sum of compensation but overall the law is silent
on the emergence on new types of cyber and data crimes," says Duggal.
"It has been six years since the law was enacted but to-date there has not
been a single rupee that had been awarded as damages. We need to revisit the
whole law, rather than just changing or appending sections. It is akin to
dragging a dead horse on its back," he adds.
Both experts are of the opinion that the proposed amendments
could hurt the very industry (read BPO) it aims to help. As it is, thanks to
adverse media coverage and a few incidents, foreign clients are wary of
off-shoring their work to India for the fear of data protection. Indian BPO
companies are striving to move up the value chain by providing high-end services
like KPO (knowledge process outsourcing), ESO (engineering services
outsourcing), etc. If adequate data protection is not provided, this could
adversely impact the transition process.
|
|
|
"We need an act that is |
/dq/media/post_attachments/346b6b3183ba33cdaa9465799f58e13e65b7294a7c33cad914c1430aebc68677.jpg)
The bone of contention seems to be the amendment of section 79,
which releases 'an intermediary' from any liability unless charges like
"conspiracy" or "abetment" are proved. The good thing is
that, as was the case of Avnish Bajaj, CEO, Bazee.com, he could not be held
liable for any posting done on his website. The bad thing is now BPOs cannot be
held responsible for negligence, when a loss of data occurs.
There is also the added clause on compounding of offences by the
controllers and adjudicating officers. Thus, an accused can now be let off,
after paying a fine decided by the adjudicating officers, for instance IT
secretaries without any sort of consultation by the affected party or referring
the matter to the courts. This could have a detrimental effect, with the rich
and powerful being easily let off the hook.
"The proposed amendments might be a nail in the Indian BPO
industry's coffin. By putting a protectionist ring, we are sending a wrong
message to the international community. It is bound to have a significant impact
in the coming days," says Duggal.
National Association of Software and Services Companies (Nasscom),
in a statement released has welcomed the proposed amendments. "Nasscom has
been working closely with the government to evolve these recommendations, which
will further strengthen the Indian IT Act 2000 and secure the legislative
framework for security practices in the Indian IT BPO sector. We understand that
these amendments have incorporated most of the recommendations, and are hopeful
that this will lead to better handling of cyber crime by enforcement
authorities," reads the official statement.
Is the Industry Worried?
There is another twist to the tale. As per the original law, a committee
comprising legal, technical experts as well as bureaucrats was to take care of
further amendments to the act. CRAC or Cyber Regulatory Advisory Committee was
to be entrusted with the task of advising further amendments. Gulshan Rai,
director, CERT-IN, is supposedly a member of the CRAC. He was loathe to take a
stance on the issue, and was quite defensive when asked about his views on the
proposed amendment. Ditto, from the babudom, no one would respond to any queries
on the proposed amendments.
The BPO industry seems not be too unduly perturbed. Atul Kanwar,
CEO, Transworks, a leading BPO company in India, welcomed the proposed
amendments as a "good interim step". According to Kanwar, there is
need for a holistic approach on the issue of IT laws and crimes. "While,
the IT Act was a good step a few years back, it needs to change keeping in mind
the industry scenario. We need an act that is sensitive to the issue of data
theft and data privacy. The law needs to serve all these issues as well. We also
need to strengthen the criminal investigation and prosecution engine," he
adds.
So will foreign clients pull the plug if the amendments are
incorporated? "Not at all," assures Safir Adeni, CEO, Sitel India,
another leading BPO company in India. "All responsible BPOs have their own
internal processes to assure clients on security aspects. Such framework will
only help," he adds. "The government's demonstration of concern and
its responsibility towards data/information security is welcome. The recent
uproar in overseas media may have hastened the tabling and passing of the
amendments," feels Adeni.
|
|
|
"The government's |
/dq/media/post_attachments/44b49eb9add1f250a2ee9f97fbad134ae4532b05372c92acbe61d12c8415b9e6.jpg)
Kanwar seems to hold similar views. "We are working in a
global environment and thus need to adhere to rules and regulations that exist
in the markets we work. We adhere to similar rules and regulations as our
clients. So that should not be much of an issue," says Kanwar. Though, he
warns against any sort of lethargy on the issue of data-theft. "BPOs are
center stage in people's mind, we are talking of a new paradigm. Thus we need
to set standards. Data thefts and other crimes might be commonplace abroad, but
that is no reason for us to brush off the few that happen in India. We need to
guard against such incidents," he says.
Will the functioning of BPO companies be affected by these
amendments? "BPOs will be required to be more security conscious about the
business environment (cyber-safe framework) they provide to their clients.
Apparently, the amendments provide for more self-governance, in which case the
onus will be on BPOs. These new changes will ensure that the broader segment of
the industry will have a consistent and standardized approach to dealing with
the issue as well as ensuring that we have no gaps even at smaller BPOs,"
mentions Adeni.
India was the second country in the world to enact IT laws in
the year 2000. But a lot of water has flowed under the bridge. Much has changed
over these years and like everything else, there is a crying need for these laws
to change and evolve keeping in mind the ever-changing times. The only
conviction till date has been the State of Tamil Nadu versus Suhas Katti last
year. Katti has posted an obscene profile of a lady based in Chennai, after an
investigation that lasted seven months, he was sentenced by the courts to 5
years imprisonment and Rs 5,000 in fine. The case was landmark in terms of the
speed in which the prosecuting agency conducted the investigation.
Whether these proposed amendments are a step in the right
direction or retrograde in nature, is something that is open for debate. And a
debate on this issue is crucial if not critical.
Shashwat Chaturvedi
maildqindia@cybermedia.co.in