India enacted the Information Technology Act, 2000 (“IT Act”) on 09 June 2000[1]. The IT Act is based on the UNCITRAL model law on e-commerce[2]. The preamble of the IT Act simply indicates that the Act is centred around affording legal recognition to transactions carried out electronically. However, the scope of the IT Act goes much beyond its preamble. It covers multiple areas including data protection and security, cybercrimes, adjudication of cyber disputes, government mandated surveillance of digital communication, and intermediary liability.
The IT Act was amended last in 2011. Despite an unprecedented increase in cyber frauds, data breaches and general cyber security concerns, no changes have been made in the IT Act in almost 9 years. In February 2020, the Ministry of Electronics and Information Technology (“MeitY”) announced that it will revamp the IT Act with a stronger focus on framework for cyber security[3]. Emerging technologies, explosion of digital business models and a substantial increase in the instances of cybercrimes have triggered the government to take steps to fast track the process of amending the IT Act[4]. In this blog post, we trace the key developments and issues in the current cyber security framework under the IT Act and other legal/policy instruments in India.
A. Key developments in the cyber security framework in India-
1. The Indian Computer Emergency Response Team-
On 23 February 2003, the MeitY designated the Indian Computer Emergency Response Team (“CERT-In”) as the authority to issue instructions for blocking websites under the IT Act to prevent online obscenity[5]. In 2009, CERT-In was later nominated as the national agency to respond to cyber-security incidents[6]. The CERT-In is currently tasked with the following functions[7]:
a. Collecting, analysing and disseminating information on cyber incidents;
b. Raising awareness about cyber security among citizens;
c. Issuing guidelines, advisories, vulnerability notes on information security practices, procedures, prevention, response and reporting of cyber incidents. For instance, in December 2019, the CERT-In issued a vulnerability note on a vulnerability in the Android operating system called the StrandHogg[8].
2. Constitution of committee of experts to review the IT Act-
In 2005, a committee of experts was constituted by the erstwhile Ministry of Communications and Information Technology to review the IT Act. In their report, the committee proposed to strengthen the framework for computer based crimes. It also proposed to build a robust mechanism to deal with data protection and privacy challenges. Accordingly, the following notable amendments were suggested[9]:
a. Treatment of computer based crimes– Section 43 of the IT Act provided for compensation in various cases including unauthorized access to a computer system, data theft and introduction of viruses through a computer system. Section 66 of the IT Act penalized the offence of hacking a computer system. The committee suggested to substitute section 66 for a new section that comprehensively dealt with computer based offenses. The substituted section 66, which penalized computer offences done ‘fraudulently’ or ‘dishonestly’ was worded to be in line with the section 43 of the then IT Act[10].
b. Data protection – To ensure security of data and protection of information from unauthorized damage, the committee suggested to hold a body corporate processing, dealing or handling sensitive personal data in a computer resource liable for failure to implement and maintain reasonable security procedures and measures[11].
c. Stringent provisions to deal with cybercrimes– Provisions addressing the issue of child pornography and video voyeurism with higher degree of punishment were proposed[12].
d. Power of interception-Based on the recommendations of Inter-Ministerial Working Group on Cyber Laws & Cyber Forensics, wide powers of monitoring, interception and decryption of any information through any computer resource was proposed to be transferred from the Controller of Certifying Authority to the central government.
The set of amendments proposed to be introduced by these recommendations paved the way for the government to consider the issues of data protection and cyber security in its subsequent attempts to amend the IT Act.
3. Recommendations of the standing committee on IT on the IT (Amendment) Bill 2006-
Based on the recommendations of the committee of experts, the government introduced the IT (Amendment) Bill, 2006 (“Amendment Bill”) in December 2006[13]. It was later referred for review to the standing committee on IT. In its 50th report released in 2007, the standing committee on IT criticised the government’s approach of amending the existing IT Act, rather than bringing a new and exclusive legislation for governing information technology[14]. The standing committee on IT highlighted the following issues in its report:
a. Specific issues of cybercrime and cyber terrorism– The committee pointed out the inadequacy of the Amendment Bill to deal with the issues of cybercrime including cyber terrorism. It noted that cyber terrorism was not defined in the proposed amendments to the IT Act. The committee expressed its concerns over government’s proposal to introduce penalties that aligned the IT Act with the Indian Penal Code (“IPC”). The report noted that the IPC was an archaic law and ill equipped to encompass varied cybercrimes including cyber terrorism. The committee recommended to incorporate adequate, stringent, specific and self-enabling provisions in the IT Act itself to effectively deal with such offences.
b. Cross border cybercrimes– The committee opined that entering into Mutual Legal Assistance Treaties to deal with cross border cybercrimes with one country at a time offered a solution in a ‘piecemeal manner’. Accordingly, the committee recommended that the government must build a roadmap to become a part of an omnibus international convention on cybercrimes to effectively address this issue.
c. Child pornography– The committee recommended that the Amendment Bill should have explicit provisions to deal with child pornography. This would align it with the laws in other advanced countries and Article 9 of the Council of Europe Convention on Cyber Crimes.
d. Powers of interception – The committee questioned the rationale of vesting the central government with the power to issue directions for interception or monitoring of any information through any computer resource. It noted that since ‘public order’ and ‘police’ are state subjects as per the Constitution of India[15], the power to intercept any information should be vested in the state governments. This will also align the proposed law with the powers of interception given to state governments in the Indian Telegraph Act, 1885[16].
e. Status of the CERT-In– The committee in its report noted that even though CERT-In has been nominated as the national agency on cyber security, the status of the body has not been defined. Accordingly, the committee suggested that the agency should be defined as a government body to clarify its status beyond doubt. Doing so will instil confidence in foreign investors regarding existence of a bona fide legal framework in the country.
4. The Information Technology (Amendment) Act, 2008-
In December 2008, the Parliament enacted the IT (Amendment) Act 2008[17] (“Amendment Act”). The following notable amendments were introduced through the Amendment Act:
a. Computer related offences– The Amendment Act prohibited transmission of offensive messages or any information for the purposes of causing annoyance, inconvenience, etc. by means of a computer resource and communication service[18]. However, this provision was struck down later by the Supreme Court of India in the Shreya Singhal case[19].
b. Power of interception– Based on the recommendations of the standing committee on IT, the Amendment Act empowered both the central and state governments to issue directions for interception/monitoring of any information under section 69. The scope of the information intercepted was broadened to include its transmission, generation and storage, as opposed to just transmission in the original provision. The amended section also made issuance of such interception orders subject to additional safeguards introduced through the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 (“Interception Rules”).
c. Critical information infrastructure– The Amendment Act introduced the term ‘critical information infrastructure’ (“CII”) i.e.a computer resource whose destruction will have a huge impact on the national security, public health and safety and economy. Further, any computer resource facilitating such CII was designated as a protected system. Accordingly, the government was empowered to exercise control over such protected systems, in addition to prescribing information security practices and procedures for such a system[20].
d. Nodal agency for CII– In January 2014, the National Critical Information Infrastructure Protection Centre (“NCIIPC”) was designated[21] as the national nodal agency under the provisions of the Amendment Act[22]. The NCIIPC is responsible for undertaking all measures to protect CII from unauthorized access, modification, use or disclosure[23].
5. Bill on Intelligence agency reforms-
In March 2011, the Intelligence Services (Powers and Regulation) Bill, 2011[24] (“Intelligence Bill”) was introduced as a private members bill by Shri Manish Tewari. He is a Member of Parliament in the Lok Sabha and currently a member of the Joint Parliamentary Committee examining the Draft Personal Data Protection Bill, 2019. The Intelligence Bill proposed to regulate the functioning of three major Indian Intelligence Agencies- Research and Analysis Wing (“RAW”), Intelligence Bureau (“IB”) and National Technical Research Organisation (“NTRO”)- by putting in place an oversight mechanism. The Bill stated that surveillance operations undertaken by such intelligence agencies infringe the right to privacy of individuals. To prevent intelligence agencies from misusing their surveillance powers, it proposed a National Intelligence and Security Oversight Committee (“NISOC”). The NISOC was empowered to seek any information that these agencies possessed. Additionally, the Intelligence Bill provided for a National Intelligence Tribunal to hold these agencies accountable. The tribunal was empowered to investigate complaints filed by any person for action taken against her or her property by these agencies. However, the Intelligence Bill, like most private member bills, never came up for discussion and ultimately lapsed.
6. National Cyber Security Policy, 2013-
In July 2013, the erstwhile Ministry of Communication and Information Technology notified the National Cyber Security Policy (“NCSP”)[25]. Based on the objectives envisioned in the NCSP 2013, the following strategies/initiatives were introduced by the Indian government:
a. Designation of the NCIIPC as the nodal agency to undertake measures to secure the country’s CII.
b. Cyber Swachhta Kendra initiative under the CERT-In to combat and analyse any malicious infections/attacks that damage computer systems. The initiative is aimed at securing the cyber ecosystem by preventing such attacks from taking place and cleaning the systems that have already been infected[26].
c. Development of multilateral relationships in the area of cyber security. In 2016, India partnered with the US for coordinating best practices in relation to cyber security and exchanging information in real time about malicious cyberattacks, among other things[27].
d. Setting up of the National Cyber Coordination Centre (“NCCC”) to create situational awareness about cyber security threats and enable timely information sharing for preventive action by individual entities[28].
7. Standing committee on IT report on ‘Cyber Crime, Cyber Security and Right to Privacy’-
In February 2014, the standing committee on IT made the following recommendations in its report on cybercrime, security and privacy[29]–
a. The committee observed that there are 20 different kinds of cybercrimes. Recognizing the impact of cyber threats on critical sectors (such as power, atomic energy, space, aviation, etc.), it recommended establishing a national protection centre to protect the CII in the country.
b. In dealing with issues pertaining to cyber frauds, the government may have to coordinate with multiple institutions, such as the Reserve Bank of India and the SEBI. Accordingly, the committee recommended to form a centralised agency to deal with all the cases of cybercrimes.
c. The committee noted that multiple agencies including Ministry of Defence (“MoD”), Ministry of Home Affairs (“MHA”), IB, NTRO, NCIIPC, etc. are involved in securing the Indian cyberspace. It also noted that to minimise overlaying responsibilities between such agencies, it has tasked the National Security Council Secretariat (“NSCS”) to oversee compliance of cyber security policies. However, this could act as a hindrance in combatting cyber threats at the earliest, given the multiple agencies involved. Recognising the need for a collaborative effort between the government and the industry to address this issue, the committee suggested to implement the recommendations made by a Joint Working Group (“JWG”) that was set up under the Deputy National Security Advisor in this regard. The JWG recommended putting in place a permanent mechanism for a Public Private Partnership (“PPP”) on cyber security as a solution, among other things.
d. The committee acknowledged that despite the cost advantages in hosting servers outside India, the accompanying technical and legal security concerns posed to the nation and citizen’s privacy have to be given due consideration. Accordingly, the committee recommended that government should take all steps to ensure that as far as possible, the servers should be hosted locally.
8. Surveillance order issued by MHA–
In December 2018, the MHA passed an order under the Interception Rules which authorized 10 security and intelligence agencies to intercept/monitor/decrypt any information transmitted, generated, received or stored on any computer resource[30]. These agencies include the IB, Narcotics Control Bureau, Enforcement Directorate, Central Board of Direct Taxes, Central Bureau of Investigation and the Delhi Police. The order was heavily criticized and challenged before the Supreme Court on the grounds of violating the fundamental right to privacy, as laid down in the Puttaswamy case[31]. The central government defended the order by claiming that it has been passed to pursue a legitimate state aim. Furthermore, for authorized agencies to intercept any information, the government has submitted that they will have to seek the permission of the competent authority[32]. The matter is currently pending before the Supreme Court.
9. National Cyber Security Strategy 2020-
In another one of its attempts to address the issues pertaining to cyber threats and data vulnerabilities, the Indian government has proposed to come out with the National Cyber Security Strategy (“NCSS”) 2020. The NCSS aims to examine various facets of cyber security under three pillars- securing the national cyberspace; strengthening the structures, people, processes, capabilities; and synergising the resources including cooperation and collaboration. The government had sought comments and suggestions on different aspects of the NCSS by 10th January 2020 and is currently in the process of framing the policy[33].
B. Key Issues on cyber security–
1. Surveillance and privacy-
a. The Interception Rules designate the Secretary in the Union Ministry of Home Affairs/Home Department of a state government (“Home Secretary”) as the ‘competent authority’ for approving data surveillance/monitoring requests under the IT Act[34]. Additionally, the Interception Rules provide for a review committee to oversee the directions issued by the competent authority to intercept/monitor such information[35]. Per the Interception Rules, the review committee is mandated to meet at least once in two months. Similarly, a committee headed by the chief secretary reviews directions passed by state governments.
b. This means that the central government has to approach the Home Secretary before it issues any directions to intercept/monitor any digital communication. However, given the large number of interception/monitoring requests made by the government, it becomes unfeasible for Home Secretary to objectively assess each request. Thus, the Home Secretary becomes a mere rubber stamp authority for approving government interception requests.
c. Interestingly, the Srikrishna Committee report mentioned that an application filed under the RTI Act revealed that the review committee has a task of reviewing 15,000-18,000 interception orders in every meeting[36]. This unrealistic target poses a threat to safety and security of personal data of individuals. The committee noted that surveillance should not be carried out without a degree of transparency that can pass the Puttaswamy test of necessity, proportionality and due process[37].
2. Multiplicity of institutions –
The issue of multiplicity of cyber security agencies was highlighted by the Standing Committee on IT in its 52nd report[38]. Several institutions tasked with securing the cyber space leads to lack of coordination between them. In 2015, the standing committee on IT in its 17th report outlined the action taken by the government on the recommendations of the JWG to deal with the issue of multiplicity of cyber security agencies. The report noted that the government, in July 2014, had identified the objectives that would promote the overall cooperative framework for a PPP on cyber security. However, an action plan for implementing these recommendations was still being worked out[39]. The issue as such appears to be unresolved with the following agencies dealing presently with the issue of cyber security:
a. Cyber and Information Security Division, MHA: This division under the MHA is tasked with handling the matters related to cyber security and cyber-crimes[40].
b. CERT-In: CERT-In functions under the aegis of MeitY. Its main functions include responding to cyber-security incidents and issuing security guidelines, advisories and alerts.[41]
c. NCIIPC: It acts as the national nodal agency for the protection of CII in India[42].
d. NCCC: It is responsible for creating situational awareness about existing and potential cyber security threats and enable timely information sharing for ‘proactive, preventive and protective’ actions by individual entities.
e. Indian Cyber Crime Coordination Centre (“I4C”): The I4C scheme consists of seven components which will be established on a rolling basis by the MHA in 2018-2020. The scheme consists of seven components[43], including a National Cybercrime Threat Analytics Unit, National Cybercrime Forensic Laboratory Ecosystem and National Cyber Research and Innovation Centre.
f. National Cyber Security Coordinator (“NCSC”): It was formed under the NSCS as the nodal agency for cyber security. The NCSC coordinates with different agencies at the national level for cyber security matters[44].
g. Defence Cyber Agency: The agency has been established to address the issues pertaining to military cyber security and cyber warfare. It is governed by the Defence Intelligence Agency under the MoD[45].
C. Conclusion-
From fake offerings of Netflix subscriptions to illegitimate versions of ‘PM Cares Fund’ payment interface, the MHA has flagged an 86% increase in cybercrimes during the unprecedented health crisis that has engulfed the entire world[46]. With a marked increase in the number of cybercrimes, issues such as multiplicity of agencies to deal with cyber security and ambiguity in the legal framework for surveillance/monitoring requests can further weaken the current framework under the IT Act. As the government initiates the exercise of revamping the IT Act, it has the opportunity of addressing these pressing issues by putting in place a robust mechanism focused towards cyber security. With a data protection regime and a national cyber security strategy in the pipeline, it will interesting to see how the government approaches the issues discussed above.
This post is authored by Kanupriya Grover, Associate with inputs from Arpit Gupta, Senior Associate, at Ikigai Law.
For more on the topic, please feel free to reach out to us at contact@ikigailaw.com
[1]The Information Technology Act 2000, 09 June 2000, http://164.100.47.193/BillsPDFFiles/Notification/1999-135-gaz.pdf
[2] UNCITRAL model law on electronic commerce, 30 Jan 1997, https://undocs.org/en/A/RES/51/162
[3] Centre to revamp IT Act, the Hindu, 26 February 2020, https://www.thehindu.com/business/Industry/centre-to-revamp-it-act/article30925140.ece
[4] MeitY seeks ideas on IT Act revamp, The Economic Times, 07 April 2020, https://economictimes.indiatimes.com/tech/ites/meity-seeks-ideas-on-it-act-revamp/articleshow/75017401.cms?from=mdr
[5] Procedure for blocking of websites under the Information Technology Act 2000, MeitY, https://meity.gov.in/content/it-act-notification-no-181
[6] Instituted by section 36 of the Information Technology (Amendment) Act 2008 (10 of 2009), w.e.f. 27 October 2009, http://164.100.47.193/BillsPDFFiles/Notification/2006-96-gaz.pdf
[7] Functions of CERT-In, CERT-In, https://www.cert-in.org.in/s2cMainServlet?pageid=CHARTMISSION
[8] StrandHogg vulnerability in Google Android, CERT-In, 09 December 2019, https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES02&VLCODE=CIAD-2019-0037
[9] Report of the committee of experts on Amendments to IT Act 2000, 2005, https://meity.gov.in/content/report-expert-committee-amendments-it-act-2000
[10] The committee of experts proposed to substitute the provision under section 66 pertaining to hacking of computer system with a provision that comprehensively dealt with offences related to damages to computer system.
[11] The committee of experts proposed to insert a new section, viz. 43(2) in the then Information Technology Act, 2000.
[12] The committee of experts proposed to insert a new section, viz. 67(2) in the then Information Technology Act, 2000.
[13]The Information Technology (Amendment) Bill, 2006, December 2006, https://www.prsindia.org/sites/default/files/bill_files/1168510210_The_Information_Technology__Amendment__Bill__2006.pdf
[14] Report of the standing committee on IT, September 2007, https://www.prsindia.org/sites/default/files/bill_files/scr1198750551_Information_Technology.pdf
[15] Entries 1 and 2, List II, Seventh Schedule, Constitution of India.
[16] Section 5(2), Indian Telegraph Act, 1855.
[17] The Information Technology (Amendment) Act 2008, 05 February, 2009, http://164.100.47.193/BillsPDFFiles/Notification/2006-96-gaz.pdf
[18] Section 32 of the Information Technology (Amendment) Act, 2008, w.e.f. 27 October 2010, http://164.100.47.193/BillsPDFFiles/Notification/2006-96-gaz.pdf
[19] Shreya Singhal vs. Union of India, (2015) 5 SCC 1, https://meity.gov.in/writereaddata/files/Honorable-Supreme-Court-order-dated-24th-March%202015.pdf
[20] Section 35 of Information Technology (Amendment) Act, 2008, w.e.f. 27 October 2010, http://164.100.47.193/BillsPDFFiles/Notification/2006-96-gaz.pdf
[21] Designation of National Critical Information Infrastructure Protection Centre as the nodal agency in respect of Critical Information Infrastructure, 16 January 2014, https://meity.gov.in/writereaddata/files/S_O_18%28E%29_0.pdf
[22] Section 36 of Information Technology (Amendment) Act, 2008, w.e.f. 27 October 2010, http://164.100.47.193/BillsPDFFiles/Notification/2006-96-gaz.pdf
[23] National Critical Information Infrastructure Protection Centre, https://nciipc.gov.in/
[24] The Intelligence Services (Powers and Regulation) Bill, 2011, March 2011, http://164.100.24.219/BillsTexts/LSBillTexts/asintroduced/7185LS.pdf
[25] National Cyber Security Policy, 2013 , 02July 2013, https://meity.gov.in/sites/upload_files/dit/files/National%20Cyber%20Security%20Policy%20%281%29.pdf
[26] Cyber Swachhta Kendra, https://www.cyberswachhtakendra.gov.in/
[27] FACT SHEET: Framework for the U.S.-India Cyber Relationship, 07 June 2016. https://obamawhitehouse.archives.gov/the-press-office/2016/06/07/fact-sheet-framework-us-india-cyber-relationship
[28] Cyber Security, Press Information Bureau, Government of India, December 2018, https://pib.gov.in/PressReleaseIframePage.aspx?PRID=1556474
[29]52nd Report of the standing committee on IT on Cybercrime, Cyber security and Right to Privacy, February 2014, https://eparlib.nic.in/bitstream/123456789/64330/1/15_Information_Technology_52.pdf#search=Information%20Technology%20cyber%20crime
[30] The Ministry of Home Affairs, Cyber and Information Security Division, http://egazette.nic.in/WriteReadData/2018/194066.pdf
[31] MHA’s snooping order challenged in Supreme Court, The Economic Times, 24 December 2018, https://economictimes.indiatimes.com/news/politics-and-nation/mhas-snooping-order-challenged-in-supreme-court/articleshow/67232730.cms?from=mdr
[32] SC to hear after four weeks pleas against MHA surveillance notification, Business Standard, 08 March 2019, https://www.business-standard.com/article/news-ani/sc-to-hear-after-four-weeks-pleas-against-mha-surveillance-notification-119030800545_1.html
[33] National Cyber Security Strategy 2020, https://ncss2020.nic.in/
[34] Section 69 of the IT Act, read with rules 2(d), 3 and 4 of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 (“Interception Rules”).
[35] Rule 22 of the Interception Rules.
[36] Pg. 125, Justice Srikrishna Committee Report on data protection: Security of the State, https://meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf
[37] Pg. 124, Justice Srikrishna Committee Report on data protection: Security of the State, https://meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf
[38] Please refer ‘Standing committee on IT report on ‘Cyber Crime, Cyber Security and Right to Privacy’ under Part A-Key Developments in the cyber security framework in India.
[39] Report of the Standing committee on IT on ‘Action Taken by the Government on the Recommendations/Observations of the Committee contained in their Fifty-second Report (Fifteenth Lok Sabha) on ‘Cyber Crime, Cyber Security and Right to Privacy’, December 2015, https://indiawatch.in/wp-content/uploads/2016/05/16_Information_Technology_17.pdf
[40] Cyber and
Information Security (C&IS) Division, Ministry of Home Affairs, Government
of India, https://mha.gov.in/
division_of_mha/cyber-and-information-security-cis-division
[41] Please refer ‘CERT-In’ under Part A-Key Developments in the cyber security framework in India.
[42] Please refer ‘Critical information infrastructure’ under Part A-Key Developments in the cyber security framework in India.
[43] Indian Cyber Crime Coordination Centre (I4C) – A 7-Pronged Scheme to Fight Cyber Crime, Press Information Bureau, Government of India, July 2019, https://pib.gov.in/newsite/PrintRelease.aspx?relid=191878
[44] Cyber Security,
Press Information Bureau, Government of India, December 2018, https://pib.gov.in/
PressReleaseIframePage.aspx?PRID=1556474
[45] India’s new Defence Cyber Agency, Medianama, 15 May 2019, https://www.medianama.com/2019/05/223-indias-new-defence-cyber-agency-nidhi-singh-ccg-nlud/
[46] Scammers try selling world’s tallest statue as pandemic boosts India’s cyber crime, Reuters, 07 April 2020, https://www.reuters.com/article/us-health-coronavirus-india-fraud/scammers-try-selling-worlds-tallest-statue-as-pandemic-boosts-indias-cyber-crime-idUSKBN21P0KH