India's New IT Law Increases Surveillance Powers
A new IT law has come into force in India that frees Internet portals from liability for third-party content and activity, but also gives the government powers to monitor communications on the Internet, and block web sites that are found to be offensive.
The Information Technology (Amendment) Act 2008 was passed by the Indian Parliament in December last year, about a month after terrorist attacks in Mumbai, and reflects the government's concern that the Internet is being extensively used by terrorists to communicate and plan their activities. It entered force Tuesday, according to a news release from India's Ministry of Communications & Information Technology on the web site of the government's Press Information Bureau.
The rules for blocking web sites under certain conditions have come in for criticism, as they leave the decision in the hands of bureaucrats. "I will be given a chance to present my case after my site has been blocked, and I will be heard by bureaucrats," Vijay Mukhi, an expert on issues related to cyber regulation, said on Tuesday. The blocking of sites should be done instead through a court of law, he added.
While interception of online communications may be justified in certain circumstances, because of the terrorist threat to the country, the government has to put mechanisms in place to ensure that the information collected through such interception is not misused, Mukhi said. "I am worried about misuse through business espionage, and loss of personal privacy," Mukhi added. He recommended the setting up of an organization like an ombudsman to keep a check on misuse of information.
Some of the provisions for surveillance and blocking of web sites were present in the earlier Information Technology Act 2000, but were not implemented with any seriousness, Mukhi said.
Section 79 of the new Act meets a demand by Internet companies, including Google, that they should not be held responsible for offensive content or communications using services provided by these companies. The correspondign section of the earlier act held network service providers liable unless they could prove that the offense or contravention was committed without their knowledge or that they had exercised all due diligence to prevent the commission of such an offense or contravention.
The new section 79 removes the liability of intermediaries in these kind of situations, unless it is proven that they were in connivance with the offender, or did not act quickly, when notified, to remove the offensive material.
The onus of proving that the intermediary has not shown due diligence, or that the offense or contravention was done with the connivance of the intermediary, now shifts to the individual complainant, said Pavan Duggal, a cyber law consultant and advocate in India's Supreme Court, in an interview earlier this year.
The amendment blocks out effective remedies for ordinary users, as they will not have access to records of the intermediary, and will never be able to prove that the intermediary conspired or abetted in the commission of an offense, Duggal added.
The new IT Act is also lacking in the area of data confidentiality and personal privacy, Duggal said.
The law may also strengthen the hands of India's security agencies, who have been demanding that service providers like Research In Motion should make decryption keys available to security agencies when required.
On receipt of a decryption order, the decryption key holder concerned must within the period stated in the decryption direction disclose the decryption key, or provide the decryption assistance, according to the new Act.
At the peak of the controversy last year, RIM said that the BlackBerry security architecture for enterprise customers is specially designed to exclude the capability for RIM or any third party to read encrypted information under any circumstances.
The BlackBerry security architecture for enterprise customers is based on a symmetric key system whereby the customer creates his own key, and only the customer possesses a copy of his encryption key, RIM said in an update to its Indian customers last year.
The company declined to comment on Tuesday on the specific provisions of the new Act.