The title says it all.
The passing of the IT Act 2000 was seen as an important event as it appeared to signal the entry of India into the Cyberworld. Our legal system now had to accept digital signatures at par with ink signatures except in some special instances. With this, we expected governments, businesses and individuals to be motivated to accept digital signatures, but if the experience of the intervening period is anything to go by, this expectation has been belied. Be that as it may, the issue that this article takes up is, whether the law drafters and the law makers had considered the inherent risk in accepting the digital signature. Another question we will look at is, whether our technology-bureaucracy took into account the warnings the technology wizards sounded against the commercial interests of the PKI businesses.
Digital certification is an excellent business model for the certifying "authority". It costs almost nothing to sign a certificate ( I can write 5 lines of Java code for this and you can run it any number of times in a year) and even if an income of Rs 500/= is received for every certification, it assures a good income stream for the Certifcying "Authorities" (CA) over the years. Income in the range of Rs 25000/= per certificate is a rich bonanza!
Just because an "authority" has signed the certificate does not mean that the risks in accepting the digital certificate lies with the CA. It still lies with you, the acceptor of the digital signature, even if it is discovered that the CA has failed in its due diligence. Why would you go for digital signature when you can get ink signature from your business partner, especially if it is likely to result in a legal dispute and you have to carry the risk in case of any financial loss. So rational and intelligent businesses would like to stay clear of this risk.
Since the CA business model and the CCA respectability comes out of increased digital signature use, the Government has decided to go out of the way to encourage digital signature by giving incentives to businesses in using digital signature for doing businesses with the government. Fincial risks in accepting digital signature lies with the acceptor of digital signature and if that happens to be the government itself, they are even prepared to forgo some percentage of the income the Government receives per transaction as incentive. A rather bizarre situation.
If CA is a business, what about "Controller" of CA ? When we have Import/Export, we need a "Controller"of Imports and Exports, right? We need some one who gives CA a license to do their business! This comes out of a mind-set of License Raj, and the irony is, it came when the other arm of the Government was busily engaged in dismantling the "License Raj". We created the infrastructure and organizational set up to license the CAs. There is ample motivation amongst the technology-bureaucracy to create and man an organizational set up with budget allocation and provide them with the thrill of running a business enterprise with Government money allocated year after year Every time the government bureaucracy wants to run a business whether it is making steel, rolling out cars, running a hotel or running a transportation business, the motivation is the same. Unfortunately, the then Minister who was a crusader and was busy selling off one by one the businesses run by the Government, was the same minister who approved this new "government business" in the garb of a "Controller".
If you have a "Controller" in your name, then it can easily pass off as a Government function! The United States of America where the technology of digital signature is more prevalent than any where else in the world does not have a "Controller" of Certifying Authorities in their Government set up. So their model does "not" suit our bureaucracy. Instead, we go hunting for a model in countries like Singapore or Malayasia or wherever till we find a model that satisfies the entrepreneurial aspirations of technology- bureaucracy, but with "no risk" budget allocation. If these bureaucrats were told to raise the money to run the enterprise by going to the market through an IPO, then, they would have been less enthusiastic. If the US is not prepared to allocate state budget for this activity, why should we, when we have urgent alternate demands such as primary education, heath care and social security allocations This is a question that was never asked in any of the thousands of notes scribbled by the bureaucracy before the IT Act 2000 was passed.
Now, let us look at Digital Signature more critically. Abdul's digital signature does not prove that Abdul signed the message, only that his private key did. When writing about non-repudiation, cryptographic theorists often ignore messy details that lie between Abdul and his computer. If his computer were appropriately infected, the malicious code could use his key to sign documents without his knowledge or permission. Even if he needed to give explicit approval for each signature (e.g., via a fingerprint scanner), the malicious code could wait until he approved a signature and sign its own message instead of his. If the private key is in tamper-resistant hardware, the malicious code can still steal the key as soon as it is used.
While it is legitimate to ignore such details in cryptographic research papers, it is just plain irrational to assume that real computer systems implement the theoretical ideal. Should one need to deny some signature, one would have the burden of proving the negative, that one didn't make the signature in question, against the presumption that one did.
The main risk in believing this popular falsehood, that if a person's private key is used it was done by him or with his consent, stems from the cryptographic concept of "non-repudiation''. It is even worse if a country's laws are made to make you liable (legally) if your private key is used to sign a document! (See S 42 IT Act: For the removal of doubts, it is hereby declared that the subscriber shall be liable till he has informed the Certifying Authority that the private key has been compromised.) Unfortunately, there is likely to be a time gap between when it is actually compromised and when we realize, if at all, that it has been compromised. Moreover, as stated earlier, the person who accepts the signature is also at risk. The Indian IT Act 2000 actually fixes the liability on the one who accepts the digital signature. The CA is not legally liable for the possible financial loss. That is, it is a "do it at your risk" proposition!
The only way to escape the misplaced legal liability is
* Never get your key certified by a Certifying Authority.
* Never get your public key published for the benefit of the public.
* Never accept digital signature for things that involve legal liability.
(This does not, however, prevent the use of digital signature between two trusted friends or partners.)
In other words, if the country has gone grossly wrong due to over enthusiastic but under informed technocrats in getting the IT Act 2000 passed, the only way to protect yourself is by escaping the provisions of the law.
The modern day Guru of Cryptography, Bruce Schneier, will convince you how patently ill-conceived the Digital Signature provisions of the IT Act is in one short essay "Ten Risks of PKI ". Just Google for the article.
If the current article starts a debate on the subject, the purpose of the article is more than adequately served.
* The author is a technologist and works in Software for Modern Cyptography and Digital Signature.
This has reference to the message posted on an Indian yahoo group by an innocent participant sharing a "adults only" picture of Bush and Osama.
I am going to illustrate how "Draconian" the "IT Act 2000" is through this posting. Obviously, the group member did not realise that he was committing an offence under the law of the land.
The questions are
1. Is it lascivious ?
2. Does it appeal to the prurient interest ?
3. Are its effects such as to tend to deprave and corrupt persons who are likely, having regard to all relevant circumstances, to read, see or hear the matter contained or embodied in it?
If the answer is "yes" to any one or more of this, "whoever publishes or transmits or causes to be published in the electronic form" has committed an offence under section S 67 of IT Act 2000. Punishment for first offence: 5 years SI/RI and/or Rs 1 lakh. Subsequent Offence: 10 years SI/RI and/or Rs 2 Lakh.
Some important points:
0. Any one can complain.
1. Even if there is no complaint, if the DySP believes an offence has been committed under the IT Act, he can initiate proceedings.
2. Any DySP or higher can inquire into the matter.
3. He can confiscate the computer/laptop.
4. He can arrest the person with out an arrest warrant from a magistrate.
5. Even if the offence is not actually committed, the DySP or any other officer of the Central Government or a State Government authorised by the Central Government in this behalf enter any public place ( that means a person in any public place with his laptop) and search and arrest without warrant any person found therein who is reasonably suspected of being about to commit any offence under this act( i.e. he has a material or photo in electronic form that fits the description of "yes" to questions 1,2 or 3 above in his lap top, he may be considered to be "about to commit" the offence of transmitting the above by email or other means. He need not record his reason in writing, he just has to suspect the probable commission of the offence in his mind ! The expression "public place" includes any public conveyance, any hotel, any shop or any other place intended for use by, or accessible to the public. (S70 IT Act 2000)
Even if the obscene picture is in encrypted form in your computer/laptop, under S 68 of IT Act 2000, the "Controller" can, if he records that it affects public order or for preventing incitement to the commission of any cognizable offence, for reasons to be recorded in writing, by order, direct any agency of the Government to intercept any information transmitted through any computer resource. The subscriber or any person incharge of the computer resource shall, when called upon by any agency which has been directed under sub-section (1) , extend all facilities and technical assistance to decrypt the information. The subscriber or any person who fails to assist the agency referred toabove shall be punished with an imprisonment for a term which may extend to seven years. (S 69 IT Act 2000)
Now, what if the offence of sending the jpg image was committed by an NRI living abroad? Vide S 75(2) of the Act, the Act shall apply to an offence or contravention committed outside India by any person if the act or conduct constituting the offence or contravention involves a computer, computer system or computer network located in India. An email received meets this criterion.
What if the Act of sending the image was committed by a foreign national? Vide S 75(1) of the Act, the provisions of this Act shall apply also to any offence or contravention committed outside India by any person irrespective of his nationality.
The fact that a warning "adults only" was inserted prominently in the subject line by the orignator again does not mitigate the offence. The law does not exempt consenting adults exchanging lascivious pictures.
The fact that an ISP like VSNL has delivered the mail with the jpg picture makes the Chairman & MD of the ISP liable to be arrested and proceeded against unless he can prove that he has taken due diligence to filter out such content. If CEO of bazee.com can be arrested for advertising the information of availability of a CD with lascivious content (mind you, not the content itself!) then every ISP that fails to filter out the contents of such pictures should be liable for arrest and criminal action. If ground realities are taken into account, and if every customer were to report such emails, no ISP Chairman/MD will ever find any time to do his work, but will be busy getting arrested and getting bailed out every day of the year!
Mr Ratan Tata, are you listening ?
One saving grace is that the Police may not be aware of its nuisance value as yet! Organisations have its own learning curve.
I thank the cyber media, the organisers of the e-crime Seminar(23 March) that gave an opportunity to listen to a distinquished panel and the interesting off-line discussion we had on the IT Act 2000.
Here is some shocking revelation that shakes the very ground on which the whole edifice (large part of it at least) of IT Act 2000 stands. Here is the blog for you to reflect on.
The lawyers who were involved in drafting the IT Act 2000 must have taken the words of the technocracy for truth as "bible"; the actual facts must come as a shock for many.
The truth must be told lest the country should be misguided into believing the "lies" and innocent citizen is made the scapegoat.
How come a country like USA can do its business with out the services of a statutory body, "Controller of Certifying Authority" is a topic for discussion for a future post.( Mind you, the CCA provision was passed under the very nose of a Minister like Dr Arun Shourie, who spent large part of his energy in implementing the philosophy that: "The Government should keep out of business and must govern".)
So is the fact that inspite of the "Controller of Certifying Authority" and the CA certifying the digital signature, the total risks involved and the financial injury sufferred by the citizen in
accepting the digital signature is entirely with the person accepting the digital signature and NOT with the CA or CCA even if it was proved that it was due the mistake of the CA or CCA. This is also for a future post on the blog.
Please reflect on the matter and put in your comments on the blog itself for the world to see.
With highest respect for the esteemed Parliament that passed the IT Act 2000 and HE the Hon. President of India, who approved the same, here are some truths that might shock you.
Alice's digital signature does not prove that Alice signed the message, only that her private key did. When writing about non-repudiation, cryptographic theorists often ignore a messy detail that lies between Alice and her key: her computer. If her computer were appropriately infected, the malicious code could use her key to sign documents without her knowledge or permission. Even if she needed to give explicit approval for each signature (e.g., via a fingerprint scanner), the malicious code could wait until she approved a signature and sign its own message instead of hers. If the private key is not in tamper-resistant hardware, the malicious code can just steal the key as soon as it's used.
While it is legitimate to ignore such details in cryptographic research papers, it is just plain wrong to assume that real computer systems implement the theoretical ideal. Our computers may contain viruses. They may be accessible to passers-by who could plant malicious code or manually sign things with our keys. Should we then need to deny some signature, we would have the burden of proving the negative: that we didn't make the signature in question against the presumption that we did.
The main risk in believing this popular falsehood stems from the cryptographic concept of ``non-repudiation''.
Public-key infrastructure has been oversold as the answer to many network security problems. We discuss the problems that PKI doesn't solve, and that PKI vendors don't like to mention.
Worst of all is if a country's laws are made to make you liable (legally ) if your private key is used to sign a document! (See S 42 IT Act. For the removal of doubts, it is hereby declared that the subscriber shall be liable till he has informed the Certifying Authority that the private key has been compromised.)
Inspite of the "Controller of Certifying Authority" and the CA certifying the digital signature, the total risks involved and the financial injury sufferred by the citizen in accepting the digital signature is entirely with the person accepting the digital signature and NOT with the CA or CCA even if it was proved that it was due the mistake of the CA or CCA. (This requires a detailed future post.)
That is what Indian IT Act 2000 does, i.e fixes the liability on the one who accepts the digital signature. That is, do it at your risk! The only way to escape the misplaced legal liability is