Following the 2008 amendments, Section 79 of the IT Act, 2000 provides that an intermediary (ISPs) will not be held liable for any third party information, data or communication link made available or hosted by him. However, this exemption will apply only if the following conditions are met.
First, the function of the intermediary must be limited to providing access to a communication system over which information made available by third parties is transmitted or temporarily stored or hosted. Second, the intermediary does not initiate the transmission, select the receiver or select/modify the information contained in the transmission. In other words, the ISP acts like a telephone company and not like a newspaper editor who can select or edit the information provided. The exemption will also not be applicable if the ISP has conspired, aided, abetted or induced the commission of the unlawful act; or upon receiving actual knowledge that any information, data or communication link residing in or connected to a computer resource controlled by the intermediary is being used to commit the unlawful act, the intermediary fails to expeditiously remove or disable access to that material. The last two conditions are similar to those imposed under the DMCA in the U.S.
Furthermore, in order to avail himself of the exemption under Section 79, the intermediary must "observe due diligence" while discharging his duties under the IT Act, 2000 and also observe other guidelines which the Central government may prescribe in this behalf. For the first time, since the 2008 amendments came into force, on February 10, 2011, the Ministry of Communications and Information Technology circulated draft rules regarding due diligence by intermediaries (the "Draft Rules").
Sub-rule (2) of the Draft Rules lists the types of infringing information which should not be transmitted by the intermediary, including information which is
1) abusive, blasphemous, obscene, vulgar etc.,
2) infringing of IPRs,
3) sensitive personal information, and
4) information which threatens the unity, security or sovereignty of India.
However, sub-rule (2) then tries to add in the offences which are the instruments of modern cyber crime. The list includes any information which impersonates another person, that is, identity theft and deceiving or misleading the addressee about the origin of electronic messages more commonly known as phishing. However, this list comprising identity theft and phishing is entirely inadequate as these are only a few methods of modern cyber crime/war. The list ignores, for example, the installation of a program which allows an attacker to remotely control the targeted computer otherwise known as "BOTNETS." Another common tool of cyber crime is the use of a software program or a device designed to secretly monitor and log all keystrokes otherwise known as "keyloggers." However, neither the remote access of a computer nor the secret monitoring of a computer resource is mentioned in sub-rule (2).
The Draft Rules also introduce a definition of "cyber security incident" as any real or suspected adverse event in relation to cyber security that violates an explicitly or implicitly applicable security policy resulting in unauthorised access, denial of service or disruption, unauthorised use of a computer resource for processing or storage of information or changes to data, information without authorisation. In fact, the need to include the concepts of modern cyber crime and a definition as basic and critical as "cyber security incident" in Draft Rules on due diligence by intermediaries shows that there is a fundamental lacuna in the IT Act itself, namely, that it ignores the concepts of modern cyber war altogether and is limited to the outdated concerns of theft of software code through hacking.
The partial attempt to bring in the concepts of modern cyber crime under the purview of the IT Act distracts attention from what is perhaps the main objective of the Draft Rules, that is, to codify the government's position towards service providers such as BlackBerry, Google, Skype, and MSN Hotmail which has recently attracted much attention. Research in Motion (RIM), the Canadian company, which operates BlackBerry, provides its customers with their own encryption key and does not possess a master key. According to RIM, in its system, there is no "back door" through which either RIM or any third party can gain access to the key or the customer's data.
However, the Indian government was concerned that this level of encryption makes it impossible to monitor BlackBerry messages for national security purposes and that BlackBerrry's strong encryption technology could be used for terrorist or criminal activity. As per newspaper reports, on August 31, 2010, the Government of India accepted RIM's proposal for "lawful access by law enforcement agencies" of encrypted BlackBerry data. In December 2010, RIM reportedly provided the government a cloud computing-based system which would enable security agencies to lawfully intercept BlackBerry Messenger (BBM) messages in a comprehensible format but not BlackBerry Enterprise Service, that is, corporate emails.
The Draft Rules incorporate the government's stand vis-à-vis BlackBerry into law because they require an intermediary to provide information to government agencies, which are lawfully authorised for investigative, protective, cyber security or intelligence activity. In sum, the Draft Rules provide the key to the back door long sought after by the government and leave no doubt that security concerns will prevail in law over the interest in privacy through use of encryption by civil society.
No comments:
Post a Comment