IT Act reforms: Plug leakage of sensitive State information
At a recent Nasscom event, Union minister of state for electronics and information technology Rajeev Chandrasekhar said India needs a new digital law as the current one — the Information Technology Act, 2000 — is more than 20 years old. The minister is passionate about making the IT system user-friendly and technologically near-perfect. But the fundamental question is whether the Act needs to be tweaked at all or not. No legislation is perfect. As a government implements a law, infirmities surface.
In 2008, the IT Act underwent an overhaul. Several reforms were made, including the substitution of
“digital signature” with “electronic signature” to make the Act technology-neutral. Also, the expression “communication device” was defined to include mobiles and any other device used for sending or transmitting text, video, audio or an image. Further effort was made to define an “intermediary” to protect the innocent and the unwitting transmission of objectionable material by a service provider or other persons. Perhaps the most essential addition to the law was Section 66A to 66F, which took cognisance of offences, including the circulation of obscene material and the commission of identity theft. The first time cognisance of violation of privacy was another distinctive feature of the 2008 Act.
Significantly, Section 69 was amended to give enough power to the State to direct interception and monitoring of encrypted messages. Sections 69A and 69 B specifically empowered the government to block information passing through a computer resource. The section was meant to combat terrorism.
No discussion of the IT Act, as promulgated in 2000 and heavily amended in 2008, will be complete without referencing how the term “intermediaries” was defined and expanded. While the former gave protection to network service providers, the 2008 enactment expanded the circumstances under which such protection will be available to a wide range of individuals and organisations, including telecom service providers, network service providers, internet service providers and web-hosting service providers.
This protection, however, is not available as a matter of routine. It is necessary that the person claiming it did not himself originate the impugned information and should prove to the authorities that he employed due diligence to make sure that no offensive communication passed through him, or his device. Since then, a few other minor amendments have been made. These have taken care of the emerging scenario where computers have revolutionised the scene. However, it is true that almost every other month, a novel form of cybercrime is reported. The IT Act cannot provide for this bizarre situation except to put down a broad rubric for various offences. Hence, tinkering with the Act every time a new form of crime comes to the surface may be inexpedient or not called for.
The focus of reforms should be on preventing leakage of sensitive information about the State or what should remain within the preserve of a computer user. Both the technology deployed and the greatest circumspection of every user can frustrate a wilful intruder. However, if the user himself or herself is complicit, as was in the case of the recent National Stock Exchange scandal, where a few favoured individuals were allegedly allowed access to a server before other legitimate users, no technology or law can help.
Security and privacy have become hollow mantras employed when they suit government or computer users. Sometimes it is amusing to watch the paranoia that dictates them. I am inclined to go with Bruce Schneier, the famous cryptographer and cybersecurity expert, who said, “Secrecy and security aren’t the same, even though it may seem that way. Only bad security relies on secrecy; good security works even if all the details of it are public”.
Let us bring some sobriety and balance to the issue of security and safety. Only then will we know how to live fearlessly and sensibly.