Crime Branch Advisory
The Nigerian Scam
Cyber Cafes under ITA 2008
[P.S: Most of the discussions under this article applies also to Internet and Mobile Service Providers as well as web service agencies]
Cyber Cafes continued to attract attention during this week with several mails sent from a Cyber Cafe threatening terrorist attacks on some of the Bangalore's IT companies. In the past also there have been many instances where Cyber Cafes have been used either for real or false terrorist communication. Several Cyber Crimes including stealing of bank passwords and subsequent fraudulent withdrawal of money have also happened through Cyber Cafes. Cyber Cafes have also been used regularly for sending of obscene mails to harass people. In view of these, Cyber Cafes have been considered as one of the key intermediaries which need to be regulated. In order to regulate Cyber Cafes, several States had passed regulations some under ITA 2000 and some under the State Police Act.
Now, The Information Technology Amendment Act 2008 has made many significant changes in the prevailing laws of cyber space applicable in India, one of which is regarding Cyber Cafes.
ITA 2000 had not defined Cyber Cafes and one had to interpret them as "Network Service Providers" referred to under the erstwhile Section 79 which imposed on them a responsibility for "Due Diligence" failing which they would be liable for the offences committed in their network. The concept of "Due Diligence" was interpreted from the various provisions in Cyber Cafe regulations where available or under the normal responsibilities expected from network service providers. The undersigned had also drawn up a "CyLawCom" guidelines for Cyber Cafes to enable them pass the benchmark test of due diligence and suggested a CyLawCom audit and certification for them.
The New Act (To be effective after notification) after amendments which we refer as ITA 2008 has however provided a specific definition for the term "Cyber Cafe" and also included them under the term "Intermediaries". Several aspects of the act therefore become applicable to Cyber Cafes and there is a need to take a fresh look at what Cyber Cafes are expected to do for Cyber Law Compliance.
Firstly, according to Section 2(na) of ITA 2008,
"Cyber cafe" means any facility from where access to the internet is offered by any person in the ordinary course of business to the members of the public.
This definition is an improvement of what was earlier proposed by the Expert Committee and the first draft of ITAA 2006 which had several anomalies.
This definition may however conflict with the definitions given under the current regulations passed by various States.
For example, the Karnataka regulations for Cyber Cafes define a Cyber Cafe as:
"Any premises where the Cyber Cafe Owner/Network Service Provider provides the computer services including internet access to the public"
According to TN regulations, a "Browsing Center" means and includes
"any establishment by what so ever name called where the general public have an access to Internet in any of its forms, protocols either on payment or free of charges for any purpose including recreation or amusement"
It also says.." a browsing center shall be deemed to be a public place as defined under Sec-3 of Tamil Nadu City Police 1888"
In the Karnataka definition, any "Network Service Provider" providing "Computer Services" may be called the "Cyber Cafe". In the TN definition, any Kiosks in say Airport or a Railway Station where free Internet access is given to public may also qualify as a Cyber Cafe.
The TN rules require registration of Cyber Cafes and both impose responsibilities such as maintenance of visitor's register, verification of photo ID etc.
The Karnataka regulation was notified under Section 90 of ITA 2000 while the TN act was notified under the State police act. Now that ITA 2000 has been amended, the provisions under Karnataka Cyber Cafe regulation may have to be considered as in fructuous while there may a question mark on the validity of TN regulations. Mumbai, Maharashtra and Gujarat who also have some state level regulations may also be in a state similar to that of TN.
Section 2(w) of ITA 2008 further states that the definition of "Intermediaries" includes "Cyber Cafes". The regulations for Intermediaries therefore apply to Cyber Cafes after ITA 2008 becomes effective.
As per Section 67(C) of ITA 2008,
(1) Intermediary shall preserve and retain such information as may be specified for such duration and in such manner and format as the Central Government may prescribe.
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section (1) shall be punished with an imprisonment for a term which may extend to three years and shall also be liable to fine.
Thus the responsibility of Cyber Cafes has now been clearly defined with a three year imprisonment which is also cognizable, bailable and compoundable.
Additionally, three important sections have been added to the present Act according to which the Government has the powers to intercept, monitor, block, and collect traffic data. These sections impose certain responsibilities on the intermediaries and make non compliance punishable. These regulations also apply to Cyber Cafes.
For example, under Section 69 (modified version),
(1) Where the central Government or a State Government or any of its officer specially authorized by the Central Government or the State Government, as the case may be, in this behalf may, if satisfied that it is necessary or expedient to do in the interest of the sovereignty or integrity of India, defense of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence, it may, subject to the provisions of sub-section (2), for reasons to be recorded in writing, by order, direct any agency of the appropriate Government to intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any information transmitted received or stored through any computer resource.
(2) The Procedure and safeguards subject to which such interception or monitoring or decryption may be carried out, shall be such as may be prescribed
(3) The subscriber or intermediary or any person in charge of the computer resource shall, when called upon by any agency which has been directed under sub section (1), extend all facilities and technical assistance to -
(a) provide access to or secure access to the computer resource generating, transmitting, receiving or storing such information; or
(b) intercept or monitor or decrypt the information, as the case may be; or
(c) provide information stored in computer resource.
(4) The subscriber or intermediary or any person who fails to assist the agency referred to in sub-section (3) shall be punished with an imprisonment for a term which may extend to seven years and shall also be liable to fine.
The important points to be noted in this section as well as the two other sections 69A and 69 B quoted below are
These powers are available to both the Central and State Governments who can specially authorize an officer for the purpose.
b) It can be invoked even for preventing incitement to the commission of any cognizable offence. It is debatable whether the term "Cognizable offence" has to be restricted to ITA 2008 only or can be extended to IPC or other laws as well.
c) Government shall prescribe necessary safeguards to be followed by Intermediaries.
d) The powers include demanding of information stored in a computer
e) Non compliance may result in stiff penalty of imprisonment upto 7 years.
Under Section 69 A,
(1) Where the Central Government or any of its officer specially authorized by it in this behalf is satisfied that it is necessary or expedient so to do in the interest of sovereignty and integrity of India, defense of India, security of the State, friendly relations with foreign states or public order or for preventing incitement to the commission of any cognizable offence relating to above, it may subject to the provisions of sub-sections
(2) for reasons to be recorded in writing, by order direct any agency of the Government or intermediary to block access by the public or cause to be blocked for access by public any information generated, transmitted, received, stored or hosted in any computer resource.
(2) The procedure and safeguards subject to which such blocking for access by the public may be carried out shall be such as may be prescribed.
(3) The intermediary who fails to comply with the direction issued under sub-section (1) shall be punished with an imprisonment for a term which may extend to seven years and also be liable to fine.
This section provides for blocking of websites in any case where prevention of a cognizable offence. This can take care of blocking of websites which may host pornographic content which is an offence under sections 67, 67A and 67 B of ITA 2008.
Under Section 69 B, the Government now will have powers to collect "Traffic data" and also seek online access to information in the hands of an intermediary. The section provides,
(1) The Central Government may, to enhance Cyber Security and for identification, analysis and prevention of any intrusion or spread of computer contaminant in the country, by notification in the official Gazette, authorize any agency of the Government to monitor and collect traffic data or information generated, transmitted, received or stored in any computer resource.
(2) The Intermediary or any person in-charge of the Computer resource shall when called upon by the agency which has been authorized under sub-section (1), provide technical assistance and extend all facilities to such agency to enable online access or to secure and provide online access to the computer resource generating , transmitting, receiving or storing such traffic data or information.
(3) The procedure and safeguards for monitoring and collecting traffic data or information, shall be such as may be prescribed.
(4) Any intermediary who intentionally or knowingly contravenes the provisions of sub-section (2) shall be punished with an imprisonment for a term which may extend to three years and shall also be liable to fine.
Explanation: For the purposes of this section,
(i) "Computer Contaminant" shall have the meaning assigned to it in section 43
(ii) "traffic data" means any data identifying or purporting to identify any person, computer system or computer network or location to or from which the communication is or may be transmitted and includes communications origin, destination, route, time, date, size, duration or type of underlying service or any other information.
Under this section, Government can force Cyber Cafes to follow safeguards specified and also demand online access if required.
The sections 69, 69A and 69B specifically vest the powers in an agency to be designated. It has deliberately avoided the use of the term "Police". The legislative intent is therefore indicative that Police need not be the agency to exercise the powers under these sections.
There is of course a serious concern in the public that the powers under these sections may be misused. Naavi.org has been suggesting that we need to set up an agency called "Netizen's Rights Commission" on the lines of the Human Rights Commission which can have the powers to receive the complaints, investigate and recommend prosecution of abuse of the powers under the sections 69,69A and 69B.
In the event any State Government would like to assume powers under these sections and also provide the benefits of the powers to the Police, it would be advisable for the State Government to set up a "State Netizen's Rights Commission" and subject the Police to the scrutiny of the commission or set up a separate non-police agency such as a "State Cyber Security Authority" and then vest the powers in such an authority.
In the meantime, if the Central Government also notifies an agency for the purpose of exercising the authority under Sections 69, 69A and 69B and provides it with pan national jurisdiction, then there may be a conflict of jurisdiction such as what we today have between the State Police and the CBI.
There is an expectation that the Indian Computer Emergency Team referred to under Section 70 B of ITA2008 may itself be designated as the agency of the Central Government with a national jurisdiction and CERT-In the present division of MCIT may itself be stepping into the shoes of the Indian Computer Emergency Team.
Considering that there are thousands of Cyber Cafes all over India, in the event a Central agency takes up the responsibility for monitoring Cyber Cafes, there may be a need for an "All India Cyber Cafe Monitoring Authority" exclusively to meet the requirements of Cyber Cafe regulations.
Last but not the least, Cyber Cafes must be now more than ever vigilant about security breaches since the protection they could claim under Section 79 has been largely made irrelevant since 79 (2) (C) makes the protection subject to following of "Due Diligence".
With the security practices to be notified under Sections 69, 69A and 69 B, the requirement of "Due Diligence" would be satisfied only of these security practices are maintained. It would therefore be necessary for Cyber Cafes to undergo a Cyber Law Compliance Audit for fulfilling the specific requirements under these sections. In the event Government does not come out with any security practices guidelines for Cyber Cafes, then also the due-diligence requirements have to take into account the expectations under these sections. Either way there is a tough road ahead for Cyber Cafes.
At the same time the Police at the State level would be looking for clarification on whether they have the authority under Section 69,69A and 69B to regulate the Cyber Cafes. They however continue to enjoy some powers under Section 80 with which they can still try to regulate Cyber Cafes.
Let's wait for the notification of rules to understand where Cyber Cafe Regulation is heading.
Source : Naavi