1. ‘Enforcing’ the Information Technology Act:
Regulating Cyberspace – Version 2.0
Rodney D. Ryder
Rodney D. Ryder Scriboard 1
2. Internet Security and Legal Compliance:
Regulating Cyberspace – Version 2.0
Part 1 – Internet Law and Policy
• Information Technology Act, 2000
• Structuring a policy
• Current law in India
Part 2 – Data Privacy and Information Security [Challenges and
Strategies]
• Data Protection legislation around the world [European
Commission Directive and the UK Act; Data Protection model:
the United States]
Rodney D. Ryder Scriboard 2
3. The need for a national strategy
Internet Law and Policy: New
Media Regulation and India
Rodney D. Ryder Scriboard 3
4. The Rise [and fall?] of Cyberspace
• The Importance of Internet Architecture – ‘decentralised routing system’ – designed
to carry messages from point to point even if intermediate communication exchanges
are blocked, damaged or destroyed. <the dumb network>
• ‘The net interprets censorship as damage, and routes around it’. John Gilmore,
Lawless, The Economist, July 1995.
• <Cyberspace>; <Neuromancer> and the “Network” [A place governed by its own laws
- as introduced by William Gibson ]
• “Law and Borders”: the ‘independent’ theory of cyberspace law [David Post and David
Johnson, Stanford Law Review]
• Benkler’s layers – the physical, the code and content [in communications theory]
• Lessig <Code and other laws of Cyberspace>
• Ryder <Regulating ‘Indian’ Cyberspace>
• Goldsmith and Wu <Who Controls the Internet? The Illusions of a Borderless World>
Rodney D. Ryder Scriboard 4
5. The ‘New Medium’ and the Law
• The Information Technology Act, 2000 – in a phrase: ‘functional
equivalence’
• ‘Electronic Commerce’ as an objective
• Understanding the role of the medium – incidental [blackmail,
stalking]; content [obscene or sensitive material]; integrity
[unauthorised access and/or modification]
• Adaptability and Enforcement of Indian law – lessons from the
American experience [Adobe Systems v. Dmitry Skylarov]
Rodney D. Ryder Scriboard 5
6. Structuring Information Systems Management
• The Basics: the “machine” and the “medium” – What is a Cybercrime?
• The criminal act – discovery [detection] and analysis
• The Cybercrime Manual – fostering preparedness
• Focussing on ‘relevant’ issues and appropriate classification of
offences
• Cyber forensics and the collection of evidence
• Crisis management [internal and external]
Rodney D. Ryder Scriboard 6
7. The Information Technology Act, 2000
• Chapter I: Preliminary [Definitions]
• Chapter II: Digital Signatures and Electronic Signatures
• Chapter III: Electronic Governance
• Chapter IV: Attribution, Acknowledgement and Dispatch of Electronic
Records
• Chapter V: Secure Electronic Records and Secure Electronic
Signatures
• Chapter VI: Regulation of Certifying Authorities
• Chapter VII: Electronic Signature Certificates
Rodney D. Ryder Scriboard 7
8. The Information Technology Act, 2000
• Chapter VIII: Duties of Subscribers
• Chapter IX: Penalties, Compensation and Adjudication
• Chapter X: The Cyber Appellate Tribunal
• Chapter XI: Offences
• Chapter XII: Intermediaries not to be liable in certain cases
• Chapter XIIA: Examiner of Electronic Evidence
• Chapter XIII: Miscellaneous
Rodney D. Ryder Scriboard 8
9. ‘Offences’ under the Indian Information Technology Act, 2000
• Tampering with computer source documents/‘code’ [Section 65];
• Transmission of Offensive Messages through Communication [Section 66A];
• Dishonest receipt of stolen computer resource or communication device [Section
66B];
• Punishment for Identity Theft [Section 66C];
• Cheating by personation using computer resource [Section 66D];
• Violation of Privacy [Section 66E]
• Cyber Terrorism [Section 66F];
• Publishing or transmitting obscene material in electronic form [Section 67]; Publishing
or transmitting of material containing sexually explicit act in electronic form [Section
67A]; Publishing or transmitting of material depicting children in sexually explicit act in
electronic form [Section 67B].
Rodney D. Ryder Scriboard 9
10. ‘Duties’ under the Indian Information Technology Act
• Duty of the Organisation “… maintain reasonable security practices
and procedures” [Section 43A] – What is a reasonable Corporate
Security System? [ISO 27001/27002]
• “Offences by Companies” [Section 85] – “… every person who, at the
time the contravention was committed, was in charge of, and was
responsible to, the company for the conduct of business of the
company as well as the company…”
• Use of Organisation’s IT Resources should be governed by Internal IT
Use and Security Policies
Rodney D. Ryder Scriboard 10
11. E-Commerce and the Model Law - I
• New Terms [and Issues]: Virtual Goods, Web hosting, Server
[essence of business transactions remains the same]
• Conventional law has not become obsolete... [a] ‘Online’ contracts are
not different from ‘off line’; [b] Medium of a transaction is generally
irrelevant for the law.
• Traditional Legal concepts based on the existence of a tangible
medium: ‘instrument’, ‘document’, ‘original’, ‘signature’…
• Legal concepts based on geographic location: ‘delivery’, ‘receipt’,
‘dispatch’, ‘surrender’…
Rodney D. Ryder Scriboard 11
12. E-Commerce and the Model Law - II
Model Law: [a] to facilitate rather than regulate electronic commerce;
[b] to adapt existing legal requirements; [c] to provide basic legal
validity and raise legal certainty.
Functional Equivalence: [a] Analyse purposes and functions of
paper-based requirements [‘writing’, ‘record’, ‘signature’, ‘original’];
[b] consider criteria necessary to replicate those functions and give
electronic data the same level of recognition as information on
paper.
Media and Technology Neutrality: [a] Equal treatment of paper-
based and electronic transactions; [b] Equal treatment of different
techniques [EDI, e-mail, Internet, telegram, telex, fax] 12
Rodney D. Ryder Scriboard
13. E-Commerce and the Model Law - III
– Party Autonomy: [a] Primacy of party agreement on whether and how to
use e-commerce techniques; [b] Parties free to choose security level
appropriate for their transactions
– Article 7 [Signature]: Legal requirement is met in relation to a data
message if: [a] a method is used to identify the signatory and to indicate
his approval of the information contained in the data message; and [b]
that method is as reliable as was appropriate for the purpose for which
the data message was generated or communicated.
– Article 8 [Original] Legal requirement is met by a data message if: [a]
there exists a reliable assurance as to the integrity of the information
from the time when it was first generated in its final form, as a data
message or otherwise; and [b] information is capable of being displayed
to the person to whom it is to be presented.
Rodney D. Ryder Scriboard 13
14. E-Commerce and the Model Law - IV
• Article 9 [Evidence]: In any legal proceedings, nothing in the rules of
evidence shall apply so as to deny the admissibility of a data message in
evidence solely because it is a data message.
Article 11 [Use of data messages in contract formation]
Article 12 [Non-repudiation]
Article 13 [Attribution of data messages]
Article 14 [Acknowledgement of receipt]
Article 15 [Time and place of dispatch and receipt]
Articles 16 and 17 [Electronic commerce and carriage of goods]
Rodney D. Ryder Scriboard 14
15. E-Commerce and the Model Law - V
A data message is deemed to be sent when it enters an information system
outside the control of the originator.
A data message is deemed to be received: [a] If the addressee has
designated an information system to receive the message, when the
message enters the designated system; or [b] If the message is sent to an
information system other than the designated system, when the addressee
retrieves the message.
Rodney D. Ryder Scriboard 15
16. Internet Cases in India [I]
• Vodafone Essar Ltd vs Raju Sud [Bombay High Court; Summary Suit No. 3264/2009
Dated : 22 November, 2011] - subscriber, challenged the authenticity of computer
generated bills which contained the charges. The Court held that, “printouts taken
from the computer/server by mechanical process as contemplated under Sections 65
and 65-A of the Evidence Act is permitted, irrespective of the compliance with the
requirement of Section 65-B of the Act”.
• State v. Navjot Sandhu [Supreme Court of India, Case No. : Appeal [Crl.] 373-375 of
2004, Date of Judgement : 04/08/2005] - The Hon’ble Supreme Court when
examining Section 65B, held that even when an affidavit/certificate under Sec. 65B is
not filed it would not foreclose the Court from examining such evidence provided it
complies with the requirements of Section 63 and 65 of the Evidence Act.
• Super Cassettes v. MySpace Inc. [Delhi High Court; CS [OS] No. 2682/2008] - One
of India’s first judgments on the issue of intermediary liability specifically on the point
of copyright infringement of recordings of the plaintiff.
•
Rodney D. Ryder Scriboard 16
17. Internet Cases in India [II]
• Vinod Kaushik v. Madhvika Joshi [Adjudication Officer, Maharashtra. Complaint Case
No. 2/2010] - the legality of accessing a spouse’s email account without their
permission. Whether unauthorised access?
• Eastern Book Company v. DB Modak [Supreme Court of India. Appeal [Civil] 6472 of
2004] - copyright protection available to electronic databases in India.
• Dharambir v. Central Bureau of Investigation [Delhi High Court. 148 [2008] DLT 289]
- the admissibility and reliability of digital evidence.
• Societe des Products Nestle SA v/s Essar Industries, 2006 [33] PTC 469] –
Admissibility of Electronic Evidence
•
Rodney D. Ryder Scriboard 17
18. Legal Issues and the ‘Cloud’ – I [Scenarios and Situations]
• ‘Physical Location’ of the Data – [a] where is the data stored?
[jurisdiction and legal governance of the data] [b] Dispute Resolution –
in the event of conflict
• Responsibility for the Data – Disaster Management [Indemnification?
Insurance?] Is there liability coverage for the breach of privacy? What
if the data center is hacked?
• Intellectual Property – [a] Is the data protected under Intellectual;
Property Law? How secure are trade secrets? What are the
conditions under which the vendor grants third parties access to your
data?
Rodney D. Ryder Scriboard 18
19. Legal Issues and the ‘Cloud’ – II [Contracts and Enforcement]
• Privileged User Access – Who has access and their backgrounds
• Regulatory Compliance – Vendors must be willing to undergo audits
and security certifications
• Data Location
• Security: the legal responsibility [Security Breach?] – [a] physical
security; [b] operational security – ‘private cloud’ or the ‘utility model’;
[c] programmatic or code-based security
• Data Segregation and the use of Encryption
• Recovery
Rodney D. Ryder Scriboard 19
20. Privacy and the Internet
Data Privacy and Information
Security
Rodney D. Ryder Scriboard 20
21. Privacy concerns
A fundamental human right
the right of the individual to be let alone
• Information Privacy [data protection] - personal data
• Bodily privacy - invasive procedures - search, drug testing; genetic
testing; etc
• Communications Privacy - mail, telephone, e-mail etc
• Territorial privacy - domestic privacy; CCTV; ID checks etc
“Public” aspects - surveillance, police powers and national security 21
Rodney D. Ryder Scriboard
22. Growth of Importance of Privacy
Overview - major International and US regulations
HUMAN RIGHTS
1948 UN Universal Declaration of Human Rights
1970 US Fair Credit Reporting Act
1974 US Privacy Act
1976 International Covenant on Civil and Political Rights
1980 OECD Guidelines on Protection of Privacy
1980 US Privacy Protection Act
1995 European Commission Directive on Data Protection
1994 US Communications Assistance to Law Enforcement Act
1996 US Health Insurance Portability and Accountability Act
1998 US Children's Online Privacy Protection Act
1998 European Member States implement Directive
1999 US Financial Services Modernization Act BUSINESS ISSUES
Rodney D. Ryder Scriboard 22
23. Privacy and Data Protection law in India
There is no general privacy or data protection law in India:
• Constitution Article 21
Right to life and liberty, interpreted by Supreme Court as including the
“right to be let alone”
• International Covenant on Civil and Political Rights 1966 Article 17:
No one shall be subject to arbitrary or unlawful interference with his
privacy, family, home or correspondence, nor to unlawful attacks on his
honour and reputation. Everyone has the right to the protection of the law
against such interference or attacks.
• Law of privacy [Tort Law] – Action for unlawful invasion of privacy
Rodney D. Ryder Scriboard 23
24. The [Indian] Information Technology Act, 2000
Information Technology Act 2000
• Section 43 [a]
Penalty for unauthorised access to a computer system
• Section 43 [b] -
Penalty for unauthorised downloading or copying of data without permission
• Section 72 -
Offence of accessing any electronic record, book, register, correspondence,
information, document or other material and, without the consent of the
person concerned, disclosing such information to another person
Rodney D. Ryder Scriboard 24
25. Current law in India
• Public Financial Institutions Act of 1983 codifies confidentiality of
bank transactions
• ISPs prohibited from violating privacy rights of subscribers by virtue
of the licence to operate granted by the Department of
Telecommunications
• A general data protection law in India?
National Task Force on IT and Software Development 1998
Submitted “IT Action Plan” calling for “National Policy on Information
Security, Privacy and Data Protection Act for handling of
computerised data” but no Act introduced to date
Rodney D. Ryder Scriboard 25
26. Possible approaches to Data Protection
Data Protection
Worldwide
Rodney D. Ryder Scriboard 26
27. Data Protection legislation worldwide
NONE PENDING IN PLACE EUD or ‘ADEQUATE’
AFGHANISTAN CENTRAL AFRICAN REPUBLIC GIBRALTAR LITHUANIA OURG PAKISTAN SURINAME
CHAD GREECE PALAU SVALBARD AND JAN MAYEN
ALBANIA CHILE GREENLAND LUXEMBOURG PALESTINIAN TERRITORY, OCCUPIED SWAZILAND
ALGERIA CHINA GRENADA MACAU PANAMA SWEDEN
CHRISTMAS ISLAND MACEDONIA PAPUA NEW GUINEA SWITZERLAND
AMERICAN SAMOA COCOS [KEELING] ISLANDS GUADELOUPE MADAGASCAR PARAGUAY SYRIAN ARAB REPUBLIC
COLOMBIA GUAM MALAWI PERU TAIWAN
ANDORRA COMOROS GUATEMALA MALAYSIA PHILIPPINES TAJIKISTAN
CONGO GUINEA MALDIVES PITCAIRN TANZANIA, UNITED REPUBLIC OF
ANGOLA GUINEA-BISSAU MALI POLAND THAILAND
ANGUILLA COOK ISLANDS GUYANA MALTA PORTUGAL TOGO
COSTA RICA HAITI MARSHALL ISLANDS PUERTO RICO TOKELAU
ANTARCTICA COTE D'IVOIRE HEARD ISLAND AND MCDONALD ISLANDS MARTINIQUE QATAR TONGA
CROATIA HOLY SEE [VATICAN CITY STATE] MAURITANIA REUNION
ANTIGUA AND BARBUDA CUBA HONDURAS MAURITIUS ROMANIA TONGA
ARGENTINA CYPRUS HONG KONG MAYOTTE RUSSIAN FEDERATION TRINIDAD AND TOBAGO
CZECH REPUBLIC HUNGARY MEXICO RWANDA TUNISIA
ARMENIA DENMARK ICELAND MICRONESIA, FEDERATED STATES OF SAINT HELENA TURKEY
DJIBOUTI INDIA MOLDOVA, REPUBLIC OF SAINT KITTS AND NEVIS TURKMENISTAN
ARUBA DOMINICA INDONESIA MONACO SAINT LUCIA TURKS AND CAICOS ISLANDS
DOMINICAN REPUBLIC IRAN MONGOLIA SAINT PIERRE AND MIQUELON TUVALU
AUSTRALIA EAST TIMOR IRAQ MONTSERRAT SAINT VINCENT AND THE GRENADINES UGANDA
AUSTRIA ECUADOR IRELAND MOROCCO SAMOA UKRAINE
EGYPT ISRAEL MOZAMBIQUE SAN MARINO UNITED ARAB EMIRATES
AZERBAIJAN EL SALVADOR ITALY MYANMAR SAO TOME AND PRINCIPE UNITED KINGDOM
EQUATORIAL GUINEA JAMAICA NAMIBIA SAUDI ARABIA UNITED STATES [safe harbor]
BAHAMAS ERITREA JAPAN NAURU SENEGAL US MINOR OUTLYING ISLANDS
BAHRAIN ESTONIA JORDAN NEPAL SEYCHELLES URUGUAY
ETHIOPIA KAZAKSTAN NETHERLANDS SIERRA LEONE UZBEKISTAN
BANGLADESH FALKLAND ISLANDS [MALVINAS] KENYA NETHERLANDS ANTILLES SINGAPORE VANUATU
FAROE ISLANDS KIRIBATI NEW CALEDONIA SLOVAKIA VENEZUELA
BARBADOS FIJI KUWAIT NEW ZEALAND SLOVENIA VIET NAM
FINLAND KYRGYZSTAN NICARAGUA SOLOMON ISLANDS VIRGIN ISLANDS, BRITISH
BELARUS FRANCE LAO PEOPLE'S DEMOCRATIC REPUBLIC NIGER SOMALIA VIRGIN ISLANDS, U.S.
BELGIUM FRENCH GUIANA LATVIA NIGERIA SOUTH AFRICA WALLIS AND FUTUNA
FRENCH POLYNESIA LEBANON NIUE SOUTH GEORGIA WESTERN SAHARA
BELIZE FRENCH SOUTHERN TERRITORIES LESOTHO NORFOLK ISLAND SOUTH KOREA YEMEN
GABON LIBERIA NORTH KOREA SPAIN YUGOSLAVIA
BENIN GAMBIA LIBYAN ARAB JAMAHIRIYA NORTHERN MARIANA ISLANDS SRI LANKA ZAMBIA
BERMUDA GEORGIA LIECHTENSTEIN NORWAY SUDAN ZIMBABWE
GERMANY OMAN
BHUTAN GHANA
BOLIVIA
BOSNIA AND HERZEGOVINA
BOTSWANA
BOUVET ISLAND
BRAZIL
BRITISH INDIAN OCEAN TERRITORY
BRUNEI DARUSSALAM
BULGARIA
BURKINA FASO
BURUNDI
CAMBODIA
CAMEROON
CANADA
CAPE VERDE
CAYMAN ISLANDS
Rodney D. Ryder Scriboard 27
28. Industrialised Countries Legislation timeline
Norway Finland
Personal D Reg Act Personal DP Act
In force 14 April 2000 In force 1 June 1999
Sweden Denmark
Personal Data Act Act on Processing f PD
In force 24 October 1998 In force 1 July 2000
Belgium Ireland
Data Protection Act -
In force 1 Sep 2001
Germany United Kingdom
Data Protection Act Data Protection Act
In force 23 May 2001 In force 1 March 2000
Austria Luxembourg
Data Protection Act -
In force 1 January 2000
Canada Mexico Italy Netherlands
PIP&ED Act eCommerce Act Data Protection Act Law on Protection PD ct
Commenced 1 Jan 2001 In force 7 June 2000 In force 8 May 1997 In force 1 Sep 2001
United States [includes] Hong Kong Australia Spain France
CPP Act 1984 Personal Data [Privacy] Privacy Act Data Protection Act -
VPP Act 1988 In force 20 Dec 1996 In force 21 Dec 2001 In force 13 January 2000
COPP Act 1998
In force 21 April 2000 Taiwan New Zealand Portugal Greece
HIPA Act Computer Processed DP Privacy Act Personal DP Act Protection Processing
In force 14 April 2001 In force 11 August 1995 In force 1 July 1993 In force 27 October 1998 In force 10 April 1997
GLB Act
In force 1 July 2001 Switzerland South Korea Eastern Europe
‘General’ Act Data Protection Act eCommerce Act Estonia [96] Poland [98] Solovak [98] Slovenia [99]
Rodney D. Ryder Scriboard 28
Under consideration In force 1 June 1999 In force January 1999 Hungary [99] Czech [00] Latvia [00] Lithuania [00]
29. Possible approaches to Data Protection
Data Protection
in Europe
Rodney D. Ryder Scriboard 29
30. European Data Protection Directive
• Directive 95/46/EC of the European Commission
• Now implemented in almost all Member States
e.g. UK
previously - UK Data Protection Act 1984
now - UK Data Protection Act 1998 [in force March 2000]
[“DPA”]
Rodney D. Ryder Scriboard 30
31. UK DPA 1998 - The Eight Principles
1. Personal data must be processed fairly and lawfully
2. Personal data must be collected and used only for notified purposes.
3. Personal data must be adequate, relevant and not excessive.
4. Personal data must be accurate and, where necessary, kept up-to-
date.
5. Personal data must only be retained for as long as is necessary to
carry out the purposes for which it is collected.
6. Personal data must be processed in accordance with the rights of
data subjects as set out under the 1998 Act.
Rodney D. Ryder Scriboard 31
32. UK DPA 1998 - The Eight Principles
7. Appropriate technical and organisational measures must be in place
to protect against unauthorised access, amendment or loss of
personal data. There must be a contractual obligation, in writing, upon
any data processor to comply with the relevant legislation and to
ensure that such measures have been put in place.
8. Personal information must not be transferred out of the European
Economic Area ["EEA"] unless the receiving country ensures "an
adequate level of protection" for the rights and freedoms of the data
subjects vis-à-vis the processing of personal data.
Rodney D. Ryder Scriboard 32
33. Transfers of Personal Data
from Europe to India
The Eighth Principle
Personal information must not be transferred out of the European
Economic Area ["EEA"] unless the receiving country ensures "an
adequate level of protection" for the rights and freedoms of the data
subjects vis-à-vis the processing of personal data.
Rodney D. Ryder Scriboard 33
34. Alternative Grounds: “Seventh-Principle” type contract
Notwithstanding lack of country adequate status, a Data Controller can
nevertheless conclude there is adequate protection in respect of a particular
transfer if:
There is sufficient protection for individual data subjects
Having regard to: - nature of data being transferred;
- purposes for processing;
- security measures in place;
- individual rights to redress if things go wrong
Note - all of these could be covered in a Seventh-Principle type contract
Rodney D. Ryder Scriboard 34
36. Legal Services Technology, Media and Communications
Technology, Media and Communications
‘Enforcing’ the Information
Technology Act
Regulating Cyberspace – Version 2.0
Rodney D. Ryder
rodney@scriboard.com