The Indian IT Act 2000 turns two this month. However, rather than being part of the solution to the misuse of technology, its implementation seems to have opened up a Pandora’s box. In light of a recent Bombay High Court verdict on the lackadaisical track record of the Indian government in this aspect, Rajneesh De & Stanley Glancy trace the loopholes in the Act

with the recent spate of high profile cases involving the entertainment industry and the underworld, and with cases dealing with global terrorist conspiracies, the Bombay High Court has been in the news for one reason or another. However, last week saw a landmark judgement in the IT space, when a bench comprising Justices Ajit Shah and Ranjana Desai, severely censured the Union government for not appointing appropriate authorities to enforce right of remedy under the Information Technology Act (IT Act), passed by Parliament way back in 2000. Though this judgement lacked the drama and sensation associated with the more high-profile cases, in the long run it just might turn out to be an issue more crucial in the national interest.

Before trying to analyse the importance of the verdict, it would be best to understand its background and circumstances. Section 46 of the IT Act lays down provisions for appointing an adjudicating officer for the purpose of adjudicating contravention under Chapter IX of the IT Act, while Section 57 of the Act lays down provisions for appealing against the order of the adjudicating officer at the Cyber Appellate Tribunal. In addition, as per Section 61 of the Act, no civil court shall have jurisdiction to entertain any suit or proceedings in respect of any matter that an adjudicating officer appointed under the IT Act, or Cyber Appellate Tribunal constituted under the IT Act, is empowered by or under the IT Act to determine.

Impact of inaction
These clauses by themselves might sound draconian to some, but to make matters worse, even two years after the passage of the Act, the government has not yet exercised its powers of appointing statutory authorities stipulated under the IT Act, including the adjudicating officers and the Cyber Regulations Appellate Tribunal.

This omission on the part of the government led Arvind Avahad and Nupur Jain, both students from the Pune-based Asian School of Cyber Laws, to file a Public Interest Litigation (PIL). Apart from chastening the government, the judges have also directed the Centre to expedite the process of setting up of these enforcement agencies and to file an affidavit by August 14 in this regard. According to sources, the government has filed an affidavit asking for more time to set up these agencies. The Court is yet to respond to this.

The petitioners contended they wrote letters almost a year ago to the Ministry of Information Technology and the Ministry of Law, asking them to rectify this defect. As no action was taken by these ministries, Avahad and Jain approached the High Court. The government’s “we-don’t-give-a-damn-attitude” on the issue appears to be a widespread malaise, because even when Express Computer attempted to speak to some officials in the IT ministry, they either feigned ignorance or waved it off as a trivial issue.

How does this typical case of bureaucratic procrastination over setting up enforcement agencies affect the course of justice? According to Neetu Chandani, advocate with Mumbai-based legal firm Legalpundits, in the absence of these enforcement agencies, victims of various cyber crimes, covered by Chapter IX, had no remedy and the objectives of the Act remain unachieved. Supreme Court advocate Pavan Duggal comes down even harder on the government. He feels that people affected by cyber crimes have no remedy except to wait till such time as the government appoints these statutory authorities, and therefore the Bombay High Court directive comes as a breath of fresh air.

There is no apparent reason cited by the government till date for the delay in appointing appropriate authorities. Therefore, it is nothing short of a miracle that the IT industry is yet to be bogged down by the weight of an increasing number of disputes. Says Duggal, “We passed the IT Bill in a hurry, and after the initial euphoria died down, there is a marked lack of enthusiasm on issues concerning Indian cyber laws. Practically speaking, it seems that appointing statutory authorities has been on the backburner, since there have been more urgent and pressing national exigencies like the Indo-Pak tension, the Gujarat conflagration, and the petrol pump scam, among others.”

However, the judges regard this lapse as a violation of fundamental rights, and the legal fraternity seems to agree. The lapse violates the citizen’s right to obtain legal redress despite a remedy being available to them on paper. In such a scenario, the fundamental rights guaranteed by the Constitution of India are violated, especially the Right of Life and Constitutional Remedies.

One of the main objectives of enacting the IT Act 2000 was to facilitate e-commerce in India by bringing in suitable amendments in the law. In order to prevent possible misuse arising out of transactions and other dealings concluded over the electronic medium, it was proposed to create civil and criminal liabilities for contravention of the provisions of the proposed legislation. Moreover, the purpose of setting up separate redressal agencies was to speedily resolve disputes, thereby preventing a backlog of cases and delay in imparting justice. However, the inaction of the government seems to have defeated the whole purpose.

Full of potholes
The moot point now seems to be whether this was an instance of negligence in isolation or whether there are more lacunae in the IT Act. Sadly, the second view seems to be true. The Act purports to be applicable to not only the whole of India, but also to any offence or contravention thereunder committed outside of India by any person. This provision in section 1(2) is not clearly drafted. It is not clear as to how and in what particular manner the Act will apply to any offence or contravention committed outside of India by any person. The enforcement aspect of the IT Act is an area of grave concern. Given India’s dismal track record in extraditing even terrorists from abroad, it will be extremely difficult to expect our government to bring back cyber criminals from Pakistan or the Middle East. Therefore, numerous difficulties are likely to arise in the enforcement of the Act as the Internet has shrunk the size of the world and slowly national boundaries shall cease to have much meaning in cyberspace.

It is also strange that section 1(4) of the Act excludes numerous things from the applicability of the IT Act. The Act does not apply to (a) a negotiable instrument as defined in section 13 of the Negotiable Instruments Act, 1881; (b) a power of attorney as defined in section 1 A of the Powers-of-Attorney Act, 1882; (c) a trust as defined in section 3 of the Indian Trusts Act, 1882; (d) a will as defined in clause (h) of section 2 of the Indian Succession Act, 1925, including any other testamentary disposition by whatever name called; (e) any contract for the sale or conveyance of immovable property or any interest in such property. All countries with a set of cyberlaws attempt to integrate them judiciously with other laws, whereas the Indian IT Act seems to be moving in the other direction. The Act talks about promoting electronic commerce and it begins by excluding immovable property from the ambit of electronic commerce a reasoning that Duggal feels defies all logic.

Domain name controversy
The IT Act 2000 does not even touch the issues relating to domain names. Domain names have not been defined, and the rights and liabilities of domain name owners do not find any mention in the said law. It may be submitted that electronic commerce is based on the system of domain names and excluding such important issues from the ambit of India’s cyberlaws does not appear logical. Besides, the Act also does not deal with intellectual property rights of domain name owners. Contentious, yet very important issues concerning copyrights, trademarks and patents have been left untouched.

The IT Act talks about the use of electronic records and digital signatures in government agencies. Yet, strangely it further says in section 9 that this does not confer any right upon any person to insist that the document in questions should be accepted in electronic form. The control of the government is apparent, as the Controller of Certifying Authorities has to discharge his functions subject to the general control and direction of central government.

The Internet and the phenomenon of electronic commerce require that minimum hurdles and obstacles need to be put in their way. The Act on the other hand seeks to bureaucratise the entire process of controlling electronic commerce. This is already resulting in delays and other related problems.

Crime syndicate
As cyberlaws keep growing, so are newer forms and manifestations of cyber crimes. The offences defined in the IT Act are by no means exhaustive. However, the drafting of the relevant provisions of the IT Act make it appear as if the offences detailed in the Act are the only cyber offences possible. For example, cyber offences like cyber theft, cyber stalking, cyber harassment and cyber defamation are not covered under the Act.

One common complaint in this respect has been that police officers are not sufficiently trained to deal with issues related to cyber crime. At the same time, Chandani feels that it is also true that IT is an upcoming industry and police officers are being trained to deal with the ever-growing arena of the Internet and related technologies. Considering the rate at which our authorities become accustomed to new technology, it would not be wrong to say that the police are trying their level best to combat cyber crime. In fact, most experts suggest that the Union government should appoint some agencies to train officers under the IT Act in regard to technicalities and intricacies of illegal acts in cyberspace.

Privacy issue
The IT Act talks of any agency of the government, intercepting any information, transmitted through any computer resource, if the same is necessary in the interest of the sovereignty or integrity of India, the security of the state, friendly relations with foreign states, for public order or for preventing incitement to the commission of any cognisable offence. This is one provision that is likely to be misused by future governments to suit their political motives, and also for the purpose of victimisation. No standards or provisions have been laid down by the IT Act, which define any conditions detailed above. The supporters of the cause of individual privacy and freedom see these provisions as a gross violation of individual freedom and that the conditions are unreasonable restrictions, which are not permissible in the context of the rapid growth of the Internet.

Sanjeev Rawell, a Bombay High Court advocate with Kudrolli & Rawell feels that the real problem is that we do not have any specific laws to deal with the privacy issue. A new legislation needs to be put in place to address this issue. Our IT Act is based on the UN model of e-commerce. But technology is constantly changing, and if technology changes then we have to adapt to it. The data may be present here and the transaction might be happening in the US. The privacy issue in such cases can be an impediment for business. The US-based customer might want to keep their financial transactions private. There are pharmaceutical companies who are concerned about making their databases public. It is mandatory for them to put up the database for scrutiny, but they are not comfortable with this as it can be misused. By default, there is need for standards for privacy. The Andhra Pradesh government has enacted a Protection of Database Act, which needs to be taken up by the central government.

Digital signature confusion
Vaibhav Parikh, advocate with Mumbai-based legal firm Nishith Desai Associates, digs out further loopholes. He feels that digital signatures is one such issue. Acceptance of digital signatures has been slow worldwide, and not just in India. To add to these woes, India has three certification authorities. But Indian law does not recognise international digital signatures. India recognises certification given only by Indian certification authorities. Till date, only two companies have been given licenses to provide certification Safescrypt and a division of RBI. The world leader, Verisign, is not recognised by the Indian government, as it is a foreign company. But the law has made provisions for recognition in case of international deals. But as of today, the Act does not even allow international contracts using digital signatures.

The biggest concern about the IT Act even after two years relates to its implementation. The Act does not lay down parameters for its implementation. Also, when Internet penetration in India is extremely low and government and police officials in general are not at all IT-savvy, the new Indian Act raises more questions than it answers. It definitely looks like Parliament would be required to amend the IT Act 2000 to remove the grey areas. But is the government listening?