Competitive Exams: Current Affairs 2011: Cyber Crime

Cyber Crime

The draft Information Technology (Due Diligence observed by intermediaries guidelines) Rules, 2011 circulated by the Ministry of Communications and

Information Technology on February 10, 2011, address the issue of the liability of internet service providers (ISPs) and other intermediaries, an issue which achieved public notoriety through the Baazee. Com case in 2004. In one master stroke, the

Draft Rules settle the dispute raging over the last year, regarding the use of encryption techniques by the customers of BlackBerry, Google, Skype and MSN.

Yet, while doing so, the Draft Rules also reveal the fundamental shortcomings of the IT Act even after the 2008 amendments.

The question is whether ISPs should be treated in the same manner as newspapers or magazines publishing content and, therefore, made potentially liable for copyright infringement, defamation, obscenity and other civil/criminal liability, or as telephone companies which are not liable for the content of the communications they transmit.

The view in the US has been that an ISP is a passive service provider much like a telephone company and cannot be held liable for the content transmitted through its server. This legal position changed in the US with the passage of the Digital

Millenium Copyright Act (DMCA), which provided a safe harbour for ISPs, conferring exemption from copyright liability. However, the exemption is subject to the ISP meeting certain conditions. The ISP must not have the actual knowledge that the material is infringing, must not be aware of the facts and circumstances from which the infringing activity is apparent and, in the event of having such knowledge, must act expeditiously to disable such material. In order to avail himself of the exemption from liability, the service provider must also not receive a financial benefit directly attributable to the infringing activity.

The legal position in India is similar to the DMCA in that the exemption from liability is not absolute but is subject to meeting certain conditions. Following the 2008 amendments, Section 79 of the IT Act, 2000 provides that an intermediary will not be held liable for any third party information, data or communication link made available or hosted by him. However, this exemption will apply only if the following conditions are met.

First, the function of the intermediary must be limited to providing access to a communication system over which information made available by third parties is transmitted or temporarily stored or hosted.

Second, the intermediary does not initiate the transmission, select the receiver or select/modify the information contained in the transmission. In other words, the

ISP acts like a telephone company and not like a newspaper editor who can select or edit the information provided. The exemption will also not be applicable if the

ISP has conspired, aided, abetted or induced the commission of the unlawful act; or upon receiving actual knowledge that any information, data or communication link residing in or connected to a computer resource controlled by the intermediary is being used to commit the unlawful act, the intermediary fails to expeditiously remove or disable access to that material.

The last two conditions are similar to those imposed under the DMCA in the US

Sub-rule (2) of the Draft Rules lists the types of infringing information which should not be transmitted by the intermediary, including information which is

  1. abusive, blasphemous, obscene, vulgar etc.

  2. infringing of IPRs

  3. sensitive personal information

  4. information which threatens the unity, security or sovereignty of India

The list of the offences which are the instruments of modern cyber crime includes any information which impersonates another person, that is, identity theft and deceiving or misleading the addressee about the origin of electronic messages more commonly known as phishing.

However, this list comprising identity theft and phishing is entirely inadequate as these are only a few methods of modern cyber crime/war.

The list ignores, for example, the installation of a program which allows an attacker to remotely control the targeted computer otherwise known as

Keyloggers and BOTNETS

Another common tool of cyber crime is the use of a software program or a device designed to secretly monitor and log all keystrokes otherwise known as keyloggers.

The Draft Rules also introduce a definition of cyber security incident as any real or suspected adverse event in relation to cyber security that violates an explicitly or implicitly applicable security policy resulting in unauthorised access, denial of service or disruption, unauthorised use of a computer resource for processing or storage of information or changes to data, information without authorisation.

There is a fundamental lacuna in the IT Act as it ignores the concepts of modern cyber war altogether and is limited to the outdated concerns of theft of software code through hacking.

The Draft Rules incorporate the government's stand vis-a-vis BlackBerry into law because they require an intermediary to provide information to government agencies, which are lawfully authorised for investigative, protective, cyber security or intelligence activity. In sum, the Draft Rules provide the key to the back door long sought after by the government and leave no doubt that security concerns will prevail in law over the interest in privacy through use of encryption by civil society.

Courtesy: The Hindu and Times of India