At the very tag-end of 2008, an extraordinary event took place. India’s Parliament met for a stormy Winter Session, during which little of note was discussed, and little value was added to the fabric of society. And then, as the Session was drawing to a close, a number of Bills were brought up for voting, and within a few minutes, with little or no words exchanged, they were passed in toto.
The utter disregard of the country and its people implicit in this kind of facile performance is stunning and salutary, especially in light of the public agitation that has spread across northern Africa and parts of Asia, with citizens of many countries taking to the streets to express their disgust at the way that they have been taken for granted, by governments and leaders that claim to have their best interests at heart. Some of the perpetrators of such callousness now find themselves scrabbling to escape, together with untold amounts of wealth stolen from their hapless countries.
That the Indian public has so far been a little more forgiving of such small degradations is a current feature, not a guarantee.
Today, February 28, 2011, I am trying to be equally forgiving.
Of course, Bills are meant to be discussed threadbare in Standing Committees formed of Parliamentarians designated for the purpose, and it is the result of their deliberations – with amended and restructured wording adjudged most acceptable to the House – that actually comes up for vote. This is a good thing, generally, as it avoids the House itself from getting bogged down in sometimes not very fruitful debate – not everyone can be fully aware of all the implications of every matter where laws are needed.
Unfortunately, the truth is that the House spends most of its time in precisely such fruitless discussions, and the real business, the creation of laws to implement a long-term strategic national policy, is swept away in a welter of triviality.
This is the fate of the country’s IT policy, the synthesis of the features of a rapidly changing technology with the immediate as well as the future needs of the people of this country. Nothing could signify this more than the fact that the IT Act 2008, comprising amendments to the Act of 2000 that were proposed in 2006 (the original name of the Bill was, in fact, the IT (Amendment) Act of 2006), could not be passed until 2008, and the rules to actually enforce the Act have come up for public discussion in a period that ends today, two and quarter years after passage of the Act.
After all that, only three weeks have been given for the public to actually respond, and I only learned about it on Friday, three days ago. So here I am, trying to figure out why other people seem to be upset by this draft.
The draft rules are posted up here, with links to three documents archived in Portable Document Format (.pdf), which is readable on any modern browser, very helpful. They could have been made available in HTML5 compliant format, of course, even more helpful, but Rome wasn’t built in a day, as they say.
We Indians have learned through bitter experience that such ‘people-facing’ improvements come about only gradually, and that the servants of the people tend to live in ivory towers, answerable only to themselves, oblivious to the winds of change blowing outside.
Since the documents themselves are hosted for public access, I won’t reproduce them here in their entirety, simply the bits that I feel deserve comment.
However, in order to actually comment on the rules, it is necessary to read the Act itself, and there are, naturally, two versions of this, the original Act (ITA 2000, for brevity), and ITAA 2008 (which even the Ministry refers to by its original title, ITA 2006, although it wasn’t actually passed in the House of Parliament until Dec 2008, not endorsed by the President until Feb 2009, and then only notified in October 2009.
These are very kindly hosted by the Ministry as pdfs images of the original copies as released in the Gazette of India, which is, of course, a paper document, thus making it almost useless as a reference. Thankfully, legal service organisations have already done the hard work of uploading digital versions of the actual content, from where I have copied the relevant text.
Section 43 A
Compensation for failure to protect data (Inserted vide ITAA 2006)
Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, not exceeding five crore rupees, to the person so affected. (Change vide ITAA 2008)
Explanation: For the purposes of this section
(i) “body corporate” means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities
(ii) “reasonable security practices and procedures” means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.
(iii) “sensitive personal data or information” means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.
The wording of the Act is curious, and close to obnoxious, actually. It carefully defines the potential offender as a body corporate, inclusively defining all the permutations and combinations recognised by company law in India. It leaves out, very deliberately, bodies that belong to us all, the citizens of India, held for us by the President of India or by the other subsidiary corporatised entities such as undertakings and so on.
This is a particularly odd omission, in the light of the gradual admission or discovery that the government routinely wiretaps and records voice and data interactions, numbering in the hundreds of thousands. All of this is supposedly done under carefully crafted permissions and oversight, yet hundreds of such conversations have been flagrantly revealed in the public domain, perhaps with the active connivance of some government employees (this is a surmise, as the matter is in court, and no such evidence has emerged).
At least one of these conversation has been alleged, by one of the interlocutors, in a petition filed in the Supreme Court, to be entirely private and unrelated to the alleged offenses in respect of which the recordings were made. Needless to say, such recordings are nowadays made almost completely in digital mode, and the dividing line between ‘telephony’ and ‘computer resources’ (as defined in the Act) has become very blurred indeed.
So what are the proposed Rules pertaining to this section?
Firstly, the intermediary shall observe following due diligence while discharging its duties.-
That seems innocuous enough.
It goes on to say:
(2) The intermediary shall notify users of computer resource not to use, display, upload, modify, publish, transmit, update, share or store any information that [contravenes any other law in force, detailing them fairly exhaustively].
And so on. All of these are apparently designed to protect citizens from misuse of their personal information by other privately owned bodies (including individuals). What they actually do is impose enormous restrictions on the ability of information providers to host content that could conceivably be at odds with the government in power ie implicit censorship.
Subclause (12) is interesting in a different way, because it asks ‘the intermediary’ to notify CERT-IN – and to share details – of breaches in security (that might lead, obviously, to leakage of such personal information of subscribers. The context is very clearly expressed). Some government websites (income tax, election commission and others) themselves are in almost continuous breach of such security. The draft Rules seem to deliberately exempt the government from protecting its citizens, in an Act designed precisely to do that!
Subclause (13) is delightful in its vagueness, that intermediaries shall not deploy or install or modify the technological measures or become party to any such act which may change or has the potential to change the normal course of operation of the computer resource than what it is supposed to perform thereby circumventing any law for the time being in force. The emphasis is mine.
Who is going to determine what a computer, a general purpose computer, is ‘supposed’ to do, or what it ‘normally’ does? Such modifications become acceptable if their purpose is to secure the computer resource. Who is going to prove that the purpose is actually to ‘secure’ the resource? This looks like an enormous potential for lawsuits, government-sponsored intimidation and in general, restriction of technological development in India.
The creation of a well-constructed cyberlaw ought to be to promote, not restrict, the development of technological advances in the country. As it is, the country has almost completely missed out on the development of digital voice technologies for communication, that have made serious inroads into the domination of older, almost outmoded, analogue technologies, and it would be disastrous to have such continuance of blinkered restrictions, especially in the context of a law designed to nurture the country and its people in an environment of cyber technologies.
Finally, to strike a slightly minor note, the title of the relevant pdf file hosted by the Ministry is due_dilligance4intermediary07_02_11. It is quite disgraceful, imho, to have such misspellings, without any evidence of checks and quality control.
Let’s move on.
Exemption from liability of intermediary in certain cases
(1) Notwithstanding anything contained in any law for the time being in force but subject to the provisions of sub-sections (2) and (3), an intermediary shall not be liable for any third party information, data, or communication link hosted by him. (corrected vide ITAA 2008).
The next two subsections cover the conditions in which this applies, and in which it doesn’t apply, respectively.
However, the Rule talks only about entities securing collected personally identifiable information. And it does so in a really curious manner. It makes it mandatory for the intermediary to follow the dictates of the international security standard IS/ISO/IEC 27001, declaring that this ‘has been adopted’ for use in the country.
Standards in India are normally prescribed by the Bureau of Indian Standards, and the nomenclature to be used is prescribed by that agency (standards follow the nomenclature BIS[nnnn]. Well-known cyber-lawyer ‘Naavi’ has pointed out that the 27001 document happens to cost USD 160, not a trivial sum for a small organisation in India, especially one that may not actually have any international business interests.
This appears to be a subtle nudging of business towards larger corporations, by raising the cost of doing business beyond an affordable level for the MSME sector (the prescribed upper limit of penalty for a breach of security that results in leakage of PII is Rs 5 crores, meant to be a compensation to the person(s) whose information is put at risk).
The subheading of this particular set of rules is ‘Reasonable Security Practices and Procedures’, but the definition of ‘reasonable’ is arguable.
On the other hand, if the PII of hundreds and thousands of citizens is put at risk by some organisation, by an identifiable lack of adequate security, is Rs 5 crores going to be enough? The country is still riven by the measly compensation legally determined for the thousands of people killed and injured by the 1984 Bhopal gas tragedy, and the last thing we need is another legal blockage to equitable compensation. This Rule seems to err on both sides of the limit.
Today’s draft Rules conclude with the duties and responsibilities of cybercafes, to be called the Information Technology (Guidelines for Cyber Cafe) Rules, 2011.
Cybercafes are to be licensed, under the rules, and the ‘appropriate government’ shall notify the agency to carry out this task. This certainly implies that cybercafes shall be centrally administered under these rules, an extraordinary choice for what is often – actually, almost always, except for a handful of big corporations that have tried to get into it – a very small business.
The next point is that cybercafes shall not permit users who do not carry one of 7 different kinds of identity document (seven alternatives are listed, but are numbered from one to six, another glaring typographical error). In lieu of such identification documents, the user must be photographed by the cybercafe, such digital photographic image forming a part of the user’s registration with the cybercafe. Children (the rules do not define ‘child’) who do not possess a photographic identity card (this wasn’t specified for adults, but all seven alternatives happen to be photo-identity cards) must be accompanied by an adult who does.
The next condition is almost risible: the cybercafe must ensure it has adequate measures to assure itself that the identity of its users is established. This is something the Government of India has been flagrantly unable to do for decades, and I really wonder whether the person who drafted this classic had a thinking cap, because it couldn’t have been worn.
The cybercafe must maintain logs (a log register) for a year, and submit copies on monthly usage logs in both hard and soft form to the designated agency (note it hasn’t been designated yet, and this seems oddly reminiscent of the confusion around digital certificates and digital signatures). Over and above this, the cybercafe owner shall be responsible for maintaining logs in extraordinary detail for six months, per user.
(i) History of websites accessed using computer resource at cyber cafe
(ii) Logs of proxy server installed at cyber café
(iii) Mail server logs
(iv) Logs of network devices such as router, switches, systems etc. installed
at cyber café
(v) Logs of firewall or Intrusion Prevention/Detection systems, if installed.
Helpfully, CERT-IN has already prepared a document to ‘help’ cybercafes follow this rule, and it is hosted at http://www.cert-in.org.in. This guideline attempts to provide (it says) some insights into the issues related to Auditing and Log Management and suggest best practices for enabling and maintaining Auditing and logging on Windows hosts, Linux hosts, Microsoft IIS server, Apache Web server, Oracle 10g database Server and Microsoft SQL Server 2005. Implementation of these best practices will enable administrators to acquire vital information to identify and respond to the computer security incidents.
This doesn’t sound quite like a document intended to help security agencies investigate crimes, yet (see further on) that is clearly the purpose for which the rules are framed, for it is the police or equivalent that will certify cybercafe compliance!
The next few rules relate to organising the space in the cybercafe to prevent users from maintaining privacy. In fact, with the intention of preventing users from viewing ‘pornographic sites’, the subsections describe how to ensure that users have no privacy at all. Unfortunately, pornography has not been defined under Indian law, to the best of my knowledge.
The subclause following is even more odd, as it prohibits the user from ‘tampering’ with the computer system settings. What could these be? That is not defined, nor is the word ‘tamper’. Simply choosing between two available printers could amount to tampering with settings, for instance. Booting up from a secure OS on a pen drive could also amount to ‘tampering’, and yet pen drive computers are quite possibly one of the directions that computing may take, enabling millions of people to securely access shared computer resources (eg power supplies, microprocessors, networks, printers and other peripherals) relatively inexpensively, without sacrificing personalisation or privacy.
All of this is to be inspected and supervised, according to subsection 7, by a police officer not below the rank of inspector. Presumably such officers are competent to inspect (‘at any time’) the logs and other technical functioning of the cybercafe. The rules do not prescribe any qualification at all for such officers, other than their rank.
Are these rules drafted to improve the functioning of cybercafes, or is there some implicit agenda relating to involving cybercafe users (and owners, of course) in crime investigations?
In short, the rules as drafted appear to be exceptionally vague. I hope this is not deliberately so, even though it is uncomfortably obvious that it has taken a long time to come up with this draft, a period markedly low on public consultation.
Equally uncomfortably, I can’t help feeling there is a needle of suspicion that the rules impose a large measure of censorship and control on content on online services (unknown for any other form of media available in India), leaving service providers (including cybercafes) open to potential harassment and worse. As I pointed out, earlier restrictions blindly applied (and still in force, by the way) led to Indian technologists in India losing out on a lucrative business opportunity.
For the government to avoid pushing Indian enterprise towards conglomeration and away from distributed and disseminated business models (a key part of IT business everywhere), it must avoid sketchily drawn up (and poorly drafted, full of typos and more) rules like this. Moreover, if the Net is to be treated on par with other forms of media, whose reach, determined by their physical formats, is regrettably low in India (despite being among the largest media consuming countries in the world), the government needs to avoid imposing censorship in the name of ‘protecting’ our sensibilities.