Is IT Act 2000 Draconian?

This has reference to the message posted on an Indian yahoo group by an innocent participant sharing a "adults only" picture of Bush and Osama.

I am going to illustrate how "Draconian" the "IT Act 2000" is through this posting. Obviously, the group member did not realise that he was committing an offence under the law of the land.

The questions are
1. Is it lascivious ?
2. Does it appeal to the prurient interest ?
3. Are its effects such as to tend to deprave and corrupt persons who are likely, having regard to all relevant circumstances, to read, see or hear the matter contained or embodied in it?

If the answer is "yes" to any one or more of this, "whoever publishes or transmits or causes to be published in the electronic form" has committed an offence under section S 67 of IT Act 2000. Punishment for first offence: 5 years SI/RI and/or Rs 1 lakh. Subsequent Offence: 10 years SI/RI and/or Rs 2 Lakh.

Some important points:
0. Any one can complain.
1. Even if there is no complaint, if the DySP believes an offence has been committed under the IT Act, he can initiate proceedings.
2. Any DySP or higher can inquire into the matter.
3. He can confiscate the computer/laptop.
4. He can arrest the person with out an arrest warrant from a magistrate.
5. Even if the offence is not actually committed, the DySP or any other officer of the Central Government or a State Government authorised by the Central Government in this behalf enter any public place ( that means a person in any public place with his laptop) and search and arrest without warrant any person found therein who is reasonably suspected of being about to commit any offence under this act( i.e. he has a material or photo in electronic form that fits the description of "yes" to questions 1,2 or 3 above in his lap top, he may be considered to be "about to commit" the offence of transmitting the above by email or other means. He need not record his reason in writing, he just has to suspect the probable commission of the offence in his mind ! The expression "public place" includes any public conveyance, any hotel, any shop or any other place intended for use by, or accessible to the public. (S70 IT Act 2000)
Even if the obscene picture is in encrypted form in your computer/laptop, under S 68 of IT Act 2000, the "Controller" can, if he records that it affects public order or for preventing incitement to the commission of any cognizable offence, for reasons to be recorded in writing, by order, direct any agency of the Government to intercept any information transmitted through any computer resource. The subscriber or any person incharge of the computer resource shall, when called upon by any agency which has been directed under sub-section (1) , extend all facilities and technical assistance to decrypt the information. The subscriber or any person who fails to assist the agency referred toabove shall be punished with an imprisonment for a term which may extend to seven years. (S 69 IT Act 2000)

Now, what if the offence of sending the jpg image was committed by an NRI living abroad? Vide S 75(2) of the Act, the Act shall apply to an offence or contravention committed outside India by any person if the act or conduct constituting the offence or contravention involves a computer, computer system or computer network located in India. An email received meets this criterion.

What if the Act of sending the image was committed by a foreign national? Vide S 75(1) of the Act, the provisions of this Act shall apply also to any offence or contravention committed outside India by any person irrespective of his nationality.

The fact that a warning "adults only" was inserted prominently in the subject line by the orignator again does not mitigate the offence. The law does not exempt consenting adults exchanging lascivious pictures.

The fact that an ISP like VSNL has delivered the mail with the jpg picture makes the Chairman & MD of the ISP liable to be arrested and proceeded against unless he can prove that he has taken due diligence to filter out such content. If CEO of bazee.com can be arrested for advertising the information of availability of a CD with lascivious content (mind you, not the content itself!) then every ISP that fails to filter out the contents of such pictures should be liable for arrest and criminal action. If ground realities are taken into account, and if every customer were to report such emails, no ISP Chairman/MD will ever find any time to do his work, but will be busy getting arrested and getting bailed out every day of the year!

Mr Ratan Tata, are you listening ?

One saving grace is that the Police may not be aware of its nuisance value as yet! Organisations have its own learning curve.

IT Act 2000: Any Comments

I thank the cyber media, the organisers of the e-crime Seminar(23 March) that gave an opportunity to listen to a distinquished panel and the interesting off-line discussion we had on the IT Act 2000.

Here is some shocking revelation that shakes the very ground on which the whole edifice (large part of it at least) of IT Act 2000 stands. Here is the blog for you to reflect on.

The lawyers who were involved in drafting the IT Act 2000 must have taken the words of the technocracy for truth as "bible"; the actual facts must come as a shock for many.
The truth must be told lest the country should be misguided into believing the "lies" and innocent citizen is made the scapegoat.

How come a country like USA can do its business with out the services of a statutory body, "Controller of Certifying Authority" is a topic for discussion for a future post.( Mind you, the CCA provision was passed under the very nose of a Minister like Dr Arun Shourie, who spent large part of his energy in implementing the philosophy that: "The Government should keep out of business and must govern".)

So is the fact that inspite of the "Controller of Certifying Authority" and the CA certifying the digital signature, the total risks involved and the financial injury sufferred by the citizen in
accepting the digital signature is entirely with the person accepting the digital signature and NOT with the CA or CCA even if it was proved that it was due the mistake of the CA or CCA. This is also for a future post on the blog.

Please reflect on the matter and put in your comments on the blog itself for the world to see.

Digital Signature & Indian IT Act 2000

With highest respect for the esteemed Parliament that passed the IT Act 2000 and HE the Hon. President of India, who approved the same, here are some truths that might shock you.

Alice's digital signature does not prove that Alice signed the message, only that her private key did. When writing about non-repudiation, cryptographic theorists often ignore a messy detail that lies between Alice and her key: her computer. If her computer were appropriately infected, the malicious code could use her key to sign documents without her knowledge or permission. Even if she needed to give explicit approval for each signature (e.g., via a fingerprint scanner), the malicious code could wait until she approved a signature and sign its own message instead of hers. If the private key is not in tamper-resistant hardware, the malicious code can just steal the key as soon as it's used.

While it is legitimate to ignore such details in cryptographic research papers, it is just plain wrong to assume that real computer systems implement the theoretical ideal. Our computers may contain viruses. They may be accessible to passers-by who could plant malicious code or manually sign things with our keys. Should we then need to deny some signature, we would have the burden of proving the negative: that we didn't make the signature in question against the presumption that we did.

The main risk in believing this popular falsehood stems from the cryptographic concept of ``non-repudiation''.

Public-key infrastructure has been oversold as the answer to many network security problems. We discuss the problems that PKI doesn't solve, and that PKI vendors don't like to mention.
Worst of all is if a country's laws are made to make you liable (legally ) if your private key is used to sign a document! (See S 42 IT Act. For the removal of doubts, it is hereby declared that the subscriber shall be liable till he has informed the Certifying Authority that the private key has been compromised.)
Inspite of the "Controller of Certifying Authority" and the CA certifying the digital signature, the total risks involved and the financial injury sufferred by the citizen in accepting the digital signature is entirely with the person accepting the digital signature and NOT with the CA or CCA even if it was proved that it was due the mistake of the CA or CCA. (This requires a detailed future post.)

That is what Indian IT Act 2000 does, i.e fixes the liability on the one who accepts the digital signature. That is, do it at your risk! The only way to escape the misplaced legal liability is

• Never get your key certified by a Certifying Authority.
• Never get your public key published for the benefit of the public.
• Never accept digital signature for things that involve legal liability.
  
• This does not prevent using digital signature between two trusted friends or partners.

In other words, if the country has gone grossly wrong due to over enthusiastic but under informed technocrats in getting the IT Act 2000 passed, the only way to protect yourself is by rejecting the provisions of the law the same way Gandhiji rejected the law governing the Salt Tax. We perhaps need a modern day "Dandi March".
If this shocks you, you are not alone. There are many who will be shocked. The best service you can do them is by inviting them to this blog.

The modern day Guru of Cryptography, Bruce Schneier, will convince you how patently ill-conceived the Act is in one short essay here: Ten Risks of PKI

P.S:

1. If you have not heard of Bruce Schneier, your opinions about Computer Security is not worth knowing, or perhaps dangerous. You are like the Catholic Priest who has not heard of the Pope!
   
2. If your opinion differ from that of Bruce, one of you (you or Bruce) must be wrong. And, without much debate, you must be wrong.
   
3. If you don't read his Schneier on Security , you better not misguide the society into believing that you are a computer security expert!
   

Conclusion: Since Bruce is right, Indian IT Act 2000 is dangerous to society. The danger is too complex to be appreciated by the lay public or the Parliament not exposed to rigors of Risk Asessment discipline.