Author: Lavanya KS, V year of B.A.,LL.B. from Chennai Dr ambedkar government law college pudupakkam
WHETHER THE INFORMATION TECHNOLOGY LAW IS A CYBER SECURITY LAW?
ABSTRACT
'You affect the world by what you browse’
-Sir Tim Berne’s Lee
In the 21st century, Cyber Crimes are the new shape of offenses that are the most challenging crimes to impede. It is more challenging in India as legal awareness regarding cybercrime is very inadequate and ineffective. In contemporary times, there is a tendency for an increase in dependence on technology not only in various industries but also in common households. This exclusive shift in dependency on electronic devices and the internet consequently there was a swell in cybersecurity menaces in India. Due to the constant rise in cyberattacks such as phishing, Trojans, Malware attacks, and privacy concerns, cybersecurity laws, and legal remedies exists for the victim of a cyberattack in India. The United Nations Commission on International Trade Law(UNCITRAL),1996 adopted a model law on e-commerce and digital difficulties. It also made it compulsory for every country to have its laws on e-commerce and cybercrime to protect the data of citizens and the government.
KEYWORDS:- Cyber law, cyber security, judicial activism, comparison of IT laws, remedies to cyber victims, regulation of OTT platforms, social media platforms and digital media news.
INTRODUCTION: -
In India the Act was passed in 2000, making India be 12th country in the world to pass legislation for cybercrimes. The Government of India then passed its first cyber law, The Information Technology Act,2000 which provides a lawful infrastructure for e-commerce in India. It supervises to cover extended areas of intellectual property, data protection privacy, etc. The Act safeguards the areas of e-commerce, e-governance, and e-banking while also covering penalties and punishments for violations of cybersecurity. In the era of Information and Technology, wrongdoers are using new technology to commit crimes. Therefore, an appropriate judicial approach towards technological offenses is required for the prevention of crime. The Information Technology Act, of 2000 together with the Indian Penal Code has adequate provisions to deal with prevailing Cyber Crimes. The paper intends to analyse the current legislation of India, cybersecurity, the pros, and cons of Information technology law, comparative study to carry out various cybersecurity laws in India. The paper aims to demonstrate whether the existing statutes in expansion to the upcoming laws are satisfactory to combat the contemporary and forthcoming threats to privacy and cybersecurity.
REGULATION OF OTT PLATFORMS IN INDIA: -
Over the top platform the streaming content media entertainment services on the internet. The populous streaming services kike Netflix, Amazon prime, etc. Last two years it has been hugely widespread in India and around the world. A lot of content is coming up and is widely consumed by the audience. The Concern about this kind of platform, if there is any objectionable content which could threaten the security of state law and order. If it incites hate or hatred between different communities, it could lead to violence and riots. These are genuine policies and security concerns that exist for the government. The content on many platforms is very graphic, with explicit nudity, explicit sexual content, drug consumption, smoking, alcohol, and extreme violence. All such content is not suitable for all such audiences. It is suitable for mature adults, not for kids. So there are a lot of regulatory concerns about content and OTT platforms. There are concerns like security, law and order, the impact on children, and the general impact on society. The broadcasting media will regulate the content. The government should not directly intrude on it.
IS RIGHT TO FREEDOM OF SPECH AND EXPRESSION IS A FUNDAMENTAL RIGHT IN THE DIGITAL WORLD: -
Content carried on the OTT platform its creative content. No one can curb creative expression.
“What is objectionable to me?
May not be objectionable to you”
What you consider objectionable is very subjective depending on the person. It should not be dictated by the government. When it comes to creative expression in any modern progressive democracy there should be no curb. If not outright censorship, there is a need for regulation. The information technology rules, 2021 notified under the act. It regulates social media intermediaries like Face book, Google, and Twitter, Digital media like The Print, The Wire, etc., and OTT platforms. Section 69A of the Information Technology Act, 2000 read with the Information Technology (Procedures and Safeguards for Blocking for Access of Information by Public) Rules, 2009 allows blocking of access to information. This Court, in the Shreya Singhal case (supra), upheld the constitutional validity of this Section and the Rules made thereunder. It is to be noted however, that the field of operation of this section is limited in scope. The aim of the section is not to restrict/block the internet as a whole, but only to block access to particular websites on the internet. Recourse cannot, therefore, be made by the Government to restrict the internet under this section.
"Liberty and security have always been at loggerheads. The question before us, simply put, is what do we need more. liberty or security? Although the choice is seemingly challenging, we need to clear ourselves from the platitude of rhetoric and provide a meaningful answer so that every citizen has adequate security and sufficient liberty. The pendulum of preference should not swing in either extreme direction so that one preference compromises the other. It is not our forte to answer whether it is better to be free than secure or be secure rather than free. However, we are here only to ensure that citizens are provided all the rights and liberty to the highest extent in a given situation while ensuring security at the same time."
-N.V. Ramana, J. in Anuradha Bhasin v. Union of India, (2020) 3 SCC 637, para 2
INDIA'S APPROACH IS CO-REGULATION MODEL
The model has not gone for complete regulation by the industry itself, not gone for censorship and government-led centralized regulation setting a mind for fundamental rights, freedom of speech, and expression. Self-regulation is promoted at the industry level. For example: - Netflix within their company they should follow standards, regulatory codes, and ethical codes of conduct. All the companies at the industry level come together and provide for self-regulation of the industry.
THREE-TIER REGULATORY MECHANISM
First level regulation: - Within the company each OTT platform had a self-regulatory body. They should follow certain standard codes, ethical codes prescribed by IT rules.
Second level regulation: - Industrial Level body created by all the OTT companies together form industry level self-regulatory body.
Third-level regulation: - It is led by the government. The Ministry of Information and Technology has given oversight powers over OTT platforms and limited co-regulation. The government will intervene only when it is necessary. Under the rules, each company should set a grievance redressal mechanism and code of ethics to display the details of whom to contact for complaints about content. The code of ethics should be followed by the company and apply to the whole industry. It includes parental locks and a child lock facility. So that adult content can be locked only adults will have access to it with a password. Children need not be exposed to any graphic content. The content should be classified as U/A, U/A13+, and U/A15+ content based on what kind of explicit material is present in it. It is classified according to a Universal rating system that should be displayed in each program when you start playing a movie or documentary. Then immediately get to know what the rating is, whether it is adultery, underage, etc to watch this content. A clear disclaimer must be present at the very start itself. If there are drugs, extreme violence, sexually explicit conducts, drug abuse, etc.
ISSUES UNDER INFORMATION TECHNOLOGY RULES:-
However, even though it provides for very limited self-regulation with a limited role for the government. Even companies already implement these measures like a parental lock, classified content, and disclaimers.
There is little awareness about cybercrime and there is also cyber security among the general public but implementation is not effective for the public. They don't even know they can raise a complaint or grievances against a company about the content they are watching.
The rules mandate the companies to display contact details relating to grievance redressal mechanisms and grievances officers on the OTT website. But the companies do not mention the contact details. Many companies do not display whom to complain about. This should be done prominently on the app or the websites.
It is mandated by the rules but does not specify the format, standard, font, design, how long to be displayed, and where it should be displayed. These details are not mentioned. Some companies put them in different places. Smaller OTT platforms have not even created grievance redressal mechanisms.
Compliance is very low. The big company is complied with rules but is not displayed in a standard format. Each company shows different ways of grievance and lack of awareness to consumers and doesn't know where to raise a complaint.
It is mandatory to publish the decision taken regarding these complaints. Since it is promoting self-regulation at the company level, the industry level makes it mandatory. Every month publish all the complaints and decisions they make and measures taken by the company, and industry based on the complaints they receive. It should be placed in the public domain every month because it provides more transparency and standardization. Example: - Movies are regulated by the Censor board of India. The Anti-Tobacco messages are very clearly displayed and there is a law embedded in it. The advertisements shown against the smoking duration of ads are also specified under the law.
Similarly, there is a rule for films under the cinematograph act that describes what duration, how, and what format could display the disclaimer. There should be mention of specific details in the films. For example: - Animals have not been hurt. It's all graphics. Further age ratings and content descriptors could be shown prominently in full-screen mode for a mandatory minimum duration. But here disclaimer showed for a couple of seconds. It is placed in a small corner at the top and the audience may not even see that one. So disclaimers and ratings should come prominently at the very start.
DOES IT REALLY NEED A STATUTORY BACKING FOR THIRD TIER MECHANISM?
Third-tier regulation is the Interdepartmental committee headed by the Secretary to the Minister of Information and Broadcasting. This committee should be given statutory status. Any regulatory bodies formed by the government oftentimes have legal backing. In this case, the interdepartmental head will take the decisions regarding regulating OTT platforms. It doesn't have any explicit statutory backing. Many Supreme Court and High court regions highlighted the only statutory bodies that should regulate the broadcast media. Only legally backed authorities or statutory institutions should have the power to regulate them. In this case, the interdepartmental committee is not a statutory committee. It does not have direct legal backing. The Information technology rules provide a government oversight mechanism but do not provide for specific legal backing to this committee. The secretary acting in his official capacity as a government servant could lead to vested interest where the government could block objectionable content which is affecting the government's image. This will target any dissent and opposition. If there is a movie, criticize the government or government policy or government leader. Then government officials could step in and get these movies blocked and their violation of free speech and expression. So it requires statutory backing for a third-tier mechanism.
NEW ACT AND SAFE HARBOUR CLAUSE
Recently India has come up with the New Digital India Act,2023. This act, an overpowering act, is going to replace the Information Technology act, of 2000. Since the year 2000, there have been many changes all across the world when it comes to the internet. There has been the emergence of new technologies. We have come to 5G technology and 6D Technology discussions. They have already started all across the world. Many of our home appliances are now connected to the Internet. So the internet increases the challenges about how to protect citizens, and how to protect their data. So red to amend this act and come up with a new framework to protect the citizens of the country.
The current challenges include Artificial intelligence, the internet of things like deep fakes, cybercrimes, phishing, cat fishing, and so on. There are so many new types of cybercrimes that have emerged because of cyberspace. Social media platforms are not responsible for any data, or any content that is placed on these sites by any third-party user. For example: - Mr.X has a Twitter account, and he posts some tweets. If this tweet is insightful, creates violence, causing an impact on any community n the country. Then Twitter won't be responsible for that tweet. Mr.X will be responsible for that tweet. That is called the Safe harbour clause. Because of this clause, there is no accountability on any of these social media websites, not accountable for any kind of fake news that is spreading through these mass media places.
BIG DEBATE ON FREEDOM OF SPEECH AND SECURITY ASWELL AS PUBLIC ORDER
Article 19 of the Indian constitution says about 'Freedom of speech and expression for social media platforms who can express their views on these platforms. Does this really not affect public order, morality, security, and the national interest of the country?
Recently the government of India came up with multiple rules to impact the safe harbour clause. The Information technology (Intermediary guidelines and digital media ethics code), 2021. According to these rules, all social media websites have to appoint a grievance redressal officer. If any citizen has any problem with any post, then they can send this complaint to these grievances redressal officers. These officers have to be acknowledged within 24 hours. Within 15 days they have to provide a redressal for their complaint. If any post has been flagged by the government of India that needs to be removed from the website. They have to remove it within 72 hours. The government through these rules got the power that it can get any of the posts removed from these social media websites within 72 hrs.
For example: - On Twitter, the Indian government is in the first position when it comes to requests for the removal of content from the websites. Apart from that these rules themselves to improve the grievance redressal mechanism on social media websites. India came up with three grievance redressal centre have been established in the country wherein any citizen can file a complaint if the grievance officer of that particular social media website didn't address their issue properly. So file grievances within 30 days.
The four pronged approach of Digital India Act to protect its citizens against any cyber issues.
Persons data protection bill
Various rules formulated under this act
National data governance policy
Various amendments to Indian Penal Code and amendments to companies’ act. So that these companies which using the safe harbour clause cannot hide behind this clause and
prevent any responsibility
CYBER SECURITY
Cyber security denotes the technologies and procedures intended to safeguards computers, networks, and data from unlawful admittance, weaknesses, and attacks transported through the Internet by cyber delinquents.
CYBER LAW
Informasstion Technology Act, 2000 is the principal legislation dealing with rules and provisions relating to cyber world; it provides a step forward in the field law with the modernized changing dimension of the crime world. The primary purpose of the Act is to provide legal recognition to electronic commerce and to facilitate filing of electronic records with the Government. The IT Act also various Cyber Crimes and provides strict punishments (imprisonment terms up to 10 years and compensation up to Rupees I crore). The IT Act has also brought many amendments in the other legislations to enhance their scope and applicability, likewise: The Indian Penal Code (as amended by the IT Act) penalizes several Cyber Crimes. These include forgery of electronic records, cyber frauds, destroying electronic evidence etc. Digital Evidence is to be collected and proven in court as per the provisions of the Indian Evidence Act (as amended by the IT Act). The provisions of the Bankers' Book Evidence Act (as amended by the IT Act) are relevant.
Investigation and adjudication of Cyber Crimes is done in accordance with the provisions of the Code of Criminal Procedure and the IT Act. Concluding it could be said that computer crime is a multi-billion-dollar problem Law enforcement must seek ways to keep the drawbacks from overshadowing the great promise of the computer age. Cybercrime is a menace that has to be tackled effectively not only by the official but also by the users by cooperating with the law.
OTHER COUNTRIES COMBAT OF CYBER CRIME
Social engineering is a method where the cyber criminals make a direct contact with you using emails or phones - mostly the latter. They try to gain your confidence and due to Easily Exploitable Laws Cyber criminals use developing countries in order to evade detection and prosecution from law enforcement. In developing countries, such as the Philippines, laws against cybercrime are weak or sometimes non-existent. These weak laws allow cybercriminals to strike from international borders and remain undetected. Even when identified, these criminals avoid being punished or extradited to a country, such as the United States. That has developed laws that allow for prosecution. While this proves difficult in some cases, agencies, such as the FBI, have used deception and subterfuge to catch criminals. For example, two Russian hackers had been evading the FBI for some time. The FBI set up a fake computing company based in Seattle, Washington. They proceeded to lure the two Russian men into the United States by offering them work with this company. Upon completion of the interview, the suspects were arrested outside of the building. Clever tricks like this are sometimes a necessary part of catching cybercriminals when weak legislation makes it impossible otherwise.
President Barack Obama released in an executive order in April 2015 to combat cybercrime. The executive order allows the United States to freeze assets of convicted cybercriminals and block their economic activity within the United States. This is some of the first solid legislation that combats cybercrime in this way. The European Union adopted directive 2013/40/EU. All offences of the directive, and other definitions and procedural institutions are also in the Council of Europe's Convention on Cybercrime.
HOW TO TACKLE CYBER CRIME?
It has been seen that most cyber criminals have a loose network wherein they collaborate and cooperate with one another. Unlike the real world, these criminals do not fight one another for supremacy or control. Instead they work together to improve their skills and even help out each other with new opportunities. Hence, the usual methods of fighting crime cannot be used against cyber criminals. While law enforcement agencies are trying to keep pace with cyber criminals, it is proving to be a Herculean task. This is primarily because the methods used by cyber criminals and technology keeps changing too quickly for law enforcement agencies to be effective. That is why commercial institutions and government organizations need to look at other methods of safeguarding themselves. The best way to go about is using the solutions provided by Cross-Domain Solutions. When organizations use cross domain cyber security solutions, they can ensure that exchange of information adheres to security protocols. The solution allows organizations to use a unified system/comprising of software and hardware that authenticates both manual and automatic transfer and access of information when it takes places between different security classification levels. This allows seamless sharing and access of information within a specific security classification, but cannot be intercepted by or advertently revealed to user who is not part of the security classification. This helps to keep the network and the systems using the network safe. Cross Domain Solution offers a way to keep all information confidential by using safe and secure domains that cannot be tracked or accessed. This security solution can be used by commercial and governmental organization to ensure an impenetrable network while still making sure that users can get access to the required information easily.
ENABLING PEOPLE
The lack of information security awareness among users, who could be a simple school going kid, a system administrator, a developer, or even a CEO of a company, leads to a variety of cyber vulnerabilities. The awareness policy classifies the following actions and initiatives for the purpose of user awareness, education, and training.
A complete awareness programme to be promoted on a national level. A comprehensive training programme that can cater to the needs of the national information security (Programmes on IT security in schools, colleges, and universities).
Enhance the effectiveness of the prevailing information security training programmes. Plan domain-specific training programmes (e.g., Law Enforcement, Judiciary, E-Governance, etc.) Endorse private-sector support for professional information security certifications.
A brand new legislative framework surrounding data and information security, the Digital India Act highlights the following areas:
Creating new regulations around newer technology, including 5G, IoT devices, cloud computing, metaverse, block chain, and crypto currency
Reclassifying online intermediaries to separate categories instead of one general intermediary label, each one with its own set of regulations
Removing “safe harbour” immunity for online intermediaries for purposeful misinformation or other content violations from third parties
Creating digital standards and laws regarding artificial intelligence (AI) and machine learning (ML) technology
Criminalizing cyberbullying, identity theft, and unauthorized sharing of personal information without consent
Regulating monetization of content creation and its creators by advertising technology (adtech) companies
Removing monopolies of the digital space (big tech) and allowing fair competition from local start-ups and more choices for users
LOOPHOLES OF THE IT ACT
The Act has been largely successful in providing a regulatory framework for the use as well as misuse of cyber space in India. We are aware that information technology is a constantly changing field. There are always new uses of IT and also the new forms of its misuse are invented. In view of this, still there are following loopholes in the IT Act:
The IT Act does not provide for the spamming. Spam means unsolicited bulk E-mail messages. Now spam has become a major challenge. The US and the European countries have enacted anti-spam legislation.
Similarly, the IT Act does not have any anti-Phishing provisions. Phishing means fraudulently attempting to acquire sensitive information of persons such as usernames, passwords and credit card details through electronic means.
The IT Act does not have any data protection mechanism in Internet Banking. There is urgent need to safeguard the interest of the individual whose data is handled and processed by the banks and companies.
The IT Act also does not have any provision with respect to privacy protection of persons. The United States and other developed countries have strict rules for ensuring privacy and protection of personal data when such data is transferred out of their domain.
The IT Act has no provision to address the issue of identity theft, which has become a global problem now.
The IT Act is also silent on cyber-attack from external sources. India has faced a number of cyber-attacks from the Chinese hackers. The law should also provide a regulatory mechanism to deal with the problem of cyber-attack.
JUDICIAL ACTIVISM ON CYBER SECURITY
The judiciary plays an important role in upholding and promoting the rights of citizens in a country. The active role of the judiciary in upholding the rights of citizens and preserving the constitutional and legal system of the country is known as judicial activism.
State of Tamil Nadu vs. Suhas Kutti,
It was the first conviction case under the Information Technology Act, 2000. Indian court firstly convicted for the offence of cybercrime. The judgment was pronounced in the year 2004, within the seven month after filling the FIR, which brings the conviction for the cybercrime. The Honourable Judge of the Additional Chief Metropolitan Magistrate has passed the order of conviction. In this case, the victim was a divorcee who constantly harassed by annoying phone calls presuming that she would solicit them because of a massage posted on yahoo message group followed by forwarding emails. The massage was extremely obscene, defamatory and annoying. The accuse turn out to be her family friend and interesting in marrying her. The accused held guilty of offences under Section 469, 509 IPC and 67 of IT Act 2000. The accused had convicted and sentenced for the offence to undergo RI for 2 years. Under section 469 IPC to pay fine of Rs.500/-and, for the offence u/s 509 IPC sentenced to undergo one-year Simple imprisonment and to pay fine of Rs.500/-, and for the offense u/s 67 of IT Act 2000 to undergo rigorous imprisonment for 2 years and to pay a fine of Rs.4000/- All sentences to run concurrently
Avinash Bajaj vs. State (N.C.T) of Delhi
The famous Bazee.com case, the CEO Avinash Bajaj was arrested for an advertisement by a user to sell the DPS sex scandal video. The video was not uploaded on the portal, despite that Avinash was arrested under Section 67 of the Information Technology Act. It was subsequent to this case that the Intermediary guidelines were passed in 2011 whereby an Intermediary’s liability would be absolved if they exercised due diligence to ensure obscene content is not displayed on their portal. The court granted bail to Mr. Bajaj subject to furnishing two sureties of Rs.1 lakh each. The court ordered Mr. Bajaj to surrender his passport and not to leave India without the permission of the court. Court also ordered Mr. Bajaj to participate and assist in the investigation.
Anuradha bhasin v UOI
“You and I know the pain when we are Netflixing and suddenly the server goes down or exceeds the daily limit. That moment of frustration is equal to when one hits their pinkie toe. It is so obvious that we cannot survive without it”
The lawsuit was filed following the President's abrogation of Article 370 and the issuance of Constitutional Order 272, which made all provisions of the Indian Constitution applicable to the state of Jammu and Kashmir. In view of the current situation in the state, limitations on movement and meetings were imposed under Section 144 of the Criminal Procedure Code, and internet and telephone services were also suspended in the state. This disrupted the working of journalists, therefore petitioner, editor of Kashmir Times, Ms. Anuradha Bhasin, filed a writ petition under Article 32 of the Constitution, challenging the restrictions and arguing that such restrictions in today's world are a violation of Article 19, which guarantees freedom of speech and expression as well as the freedom to carry on any trade or occupation. In the Anuradha Bhasin case, the court took reliance on a concatenation of judgments, which recognize free speech as a fundamental right, and with time due to the evolution of technology, it has recognized the freedom of speech and expression on various media. "The Apex Court finally recognized the significance of the internet as a tool for the promulgation of information and trade and commerce in contemporary times, and finally concluded that the right to freedom of speech and expression under Article 19(1) (a), and the right to carry on any trade or business under 19(1) (g), using the medium of internet is constitutionally protected. Right to Internet has not been explicitly declared as a separate fundamental right, the court has recognized a derivative fundamental right to access the internet. "It was held that the internet is a medium through which other fundamental rights are exercised and that the freedom of speech and expression through the medium of the internet is an integral part of Article 19(1) (a) and accordingly, any restriction on the same must be in accordance with Article 19(2) of the Constitution.
COMPARATIVE STUDY ON CYBER LAWS
The United States of America enacted an act of cyber security research and development Act 2002. They developed a research agency to curb cyber-attacks and bring better cyberspace infrastructure to America. The responsibility was given to the Ministry of information and broadcasting. The E-government act, of 2002 is an important legislation to provide guidelines and regulations for information technology. It lays down stringent rules to be followed for cyber security. They introduce several new cyber security laws as well as amend the older ones for a better security ecosystem. The IT act should be amended from time to time because more cyber-attacks will be done year to year. To build a strong cyber infrastructure by allowing prompt sharing of cyber security difficulties, glitches and any other concerns between different agencies of the government. In the USA the act was named the Cyber Security Information sharing act of 2015. The US currently has 50 statutes to update new cyber policies and better cyber infrastructure.
SUGGESTIONS FOR BETTER DIGITAL WORLD
Enhance the cyber infrastructure
Develop better regulations for cyber security concerns
Create more awareness about cyber attacks
Help the cyber-attack victims
Encourage voluntary public-private relationships as well as research and development in this field.
Use preventive criteria against cyber-crimes.
Need to be enlightened about cyberspace by all the children and adults in school and college life.
CONCLUSION
"Law & Technology seldom mix like oil & water. There is a consistent criticism that the development of technology is not met by equivalent movement in the law. Non-recognition of Technology within the sphere of law is only a disservice to the inevitable"
N.V. RAMANA
In this light, the importance of the Internet cannot be underestimated, as from morning to night we are encapsulated within the cyberspace & our most basic activities are enabled by the use of the Internet. The provisions of the IT Act and the rules notified by the Government also play a significant role in regulating the digital space. With the rapid advent of technology, Cyber Laws are becoming more and more relevant. There is a need for these laws to keep evolving with the latest developments in Information Technology. The OTT platforms also need more transparency and to promote it as well. There should be self-regulatory bodies that should place the complaint in the public domain. There should also be an independent audit. These are the developments regarding cybersecurity in India with the effective implementation of information technology law.