The Information Technology Act, 2000, serves as a useful illustration of the dearth of dynamism in digital rule-making in India. Though it forms the legislative bedrock of the country’s online edifice, it has only been significantly amended once in 2008. And while it witnessed minor revisions from time to time since then, these were largely informed by political exigencies rather than any long-term digital vision.
Illustratively, the last amendment to the IT Act, made in 2017 through the Finance Bill, merged the Cyber Appellate Tribunal with the Telecom Disputes Settlements and Appellate Tribunal. The merger was ostensibly precipitated by several reports that surfaced late in 2016 about the defunct state of the Cyber Appellate Tribunal; voicing concern that India was digitising too rapidly without having a proper grievance redressal body in place.
The government’s recent decision to revise the IT Act’s provision pertaining to intermediary liability, Section 79, is the most recent instance of this kind of reactive rule-making. Section 79 protects online intermediaries from any unlawful third-party content that may be posted on their websites. The deaths of 31 people due to mob violence, purportedly incited by messages sent via social media, prompted the government to limit the scope of this protection. Specifically, a committee tasked to look into the matter recommended the indictment of the country heads of the companies that run these platforms, if the latter are unable to curb the spread of malicious misinformation online.
Though this suggestion is problematic on several accounts, the government is still studying the matter. Whilst it is doing so, it is recommended that it also consider revising other deficits within the IT Act that, one, prevent enforcement agencies from adequately dealing with the challenges brought about by the rise of the digital realm and, two, preclude the realisation of new technological imperatives that have significant ramifications for security.
To begin with, the IT Act relies on the Code of Criminal Procedure, 1974, (CrPC), to lay out the procedural mandates for criminal offences. This is problematic for two reasons. First, the CrPC was introduced at a time when technological capabilities were relatively undeveloped. As such, its provisions apply more readily to spatial dimensions and physical objects than intangible, electronic records.
Second, regular police personnel, specifically any officer holding the rank of inspector, are responsible for investigating nefarious online activities. The difficulty that arises here is that cybercrimes are a nuanced form of criminal activity that require years of specialised training and a deep understanding of technology to probe adequately. The government is well aware of this reality, which is why the home ministry is unveiling specialised cybercrime portals and certain states like Maharashtra and Karnataka have introduced cyber police cells to tackle digital malfeasance.
It is well-documented that India’s authorities struggle to deal with criminal activity in the digital sphere appropriately. Deficits generally lie in the areas of human resources, technological capability and knowledge. There was even a case where a petition was filed to transfer the investigation of a cybercrime under the IT Act to an independent agency because the investigating officer could not handle the inquiry appropriately.
Reports indicate that the government is currently deliberating amending the provision under the IT Act so that the nodal investigative officer is at least the rank of a deputy superintendent of police (DSP). However, it is unclear how charging a higher-ranking officer with the responsibility of investigating cybercrimes will address current deficits. For one, it is likely to exacerbate capacity issues as DSPs are not commonly located across the country, particularly in rural areas. In fact, this was the primary reason the charge of investigating cybercrimes was accorded to inspectors by the IT Amendment Act, 2008. Moreover, handing over investigative responsibility to a higher-ranking officer will do little to close the gaps in technical know-how currently plaguing domestic enforcement agencies.
According to a study conducted by the United Nations Office on Drugs and Crime (UNODC), cybercrime legislation must fulfil two normative requirements to be effective. First, it must encompass a well-defined template for procedural powers so as to ensure proper implementation and adherence to legally-recognised principles.
Second, it should grant legal sanction to officers for processes involving the collection and preservation of electronic evidence. Though the IT Act and its accompanying rules hint at these norms there is nothing in the way of a concrete playbook that informs cyber-policing capabilities. As such, a majority of cybercrime cases in India are left unreconciled. Illustratively, according to a report by the National Crime Records Bureau, only 38% of the 24,187 cybercrime incidents reported in 2016 were disposed of by the end of the year.
The IT Act also contains statutory impediments that thwart the effective implementation of frontier technologies that can reduce cyber vulnerabilities. Illustratively, the IT Act precludes the usage of digital signatures to transactions or documents involving immovable property. This hinders Blockchain-based applications such as land titling and record keeping – a key consideration in a country where 70% of litigation pertains to property. Reports reveal that most blockchain projects in the Indian public sector fail to move beyond the MoU stage, largely due to regulatory uncertainty. As the government has repeatedly signalled its intent to create impetus and drive the adoption of blockchain technology, it must follow up with concrete policy action in this regard.
Academic consensus on the digital economy indicates that there are certain elements that must be in place for online activity to flourish in any jurisdiction. These include – an enabling regulatory framework, robust digital infrastructure, and targeted skilling and education programs. This triumvirate safeguards the user interests, enhances digital access, and allows meaningful engagement and online activity; thereby bolstering welfare gains. It follows, then, that as the needs and nature of the digital economy evolve, so must the scope and reach of this tripartite structure.
The IT Act was introduced to grant impetus to the rise of digital technologies in the country and establish a legal system to foster e-commerce. Some of the purported aims of the Act have, indeed, been realised as may be evinced by the proliferation of smartphones and digital businesses. However, as the deficits delineated above indicate, the IT Act is presently ill-equipped to tackle the security challenges brought about by the rise of the digital medium.
As such, it would behoove the government to consider revising the gaps in the current framework whilst it mulls over how best to deal with violence impelled by fake news propagated on social media. Specifically, the government must look at introducing a procedural mandate that is more readily applicable to cybercrime and create imperatives for newer technological paradigms that could reduce systemic vulnerabilities. Such a move would go a long way in bolstering the security of India’s digital economy overall, rather than just addressing a particular political pain point.
Meghna Bal is a lawyer by training and is currently a Strategy and Operations Officer at ConsenSys, the world’s largest blockchain technology firm. She was formerly a Junior Fellow working on the Cyber Initiative at the Observer Research Foundation. The views in the article are the author’s own.