The draft “Information Technology (Due Diligence observed by intermediaries guidelines) Rules, 2011 circulated by the Ministry of Communications and Information Technology on February 10, 2011, address the issue of the liability of internet service providers (ISPs) and other intermediaries, an issue which achieved public notoriety through the Baazee.com case in 2004. In one master stroke, the Draft Rules settle the dispute raging over the last year, regarding the use of encryption techniques by the customers of BlackBerry, Google, Skype and MSN. Yet, while doing so, the Draft Rules also reveal the fundamental shortcomings of the IT Act even after the 2008 amendments.
The case, Avnish Bajaj v State arose out of the sale of a video clip on the website of Baazee.com, shot on a mobile phone in MMS form, depicting two schoolchildren indulging in an explicit sexual act. Although the Bazee.com case was ultimately decided under the provisions of the Indian Penal Code, the critical legal issue in civil law is to what extent ISPs can be held liable for the content transmitted through their network. The question, which was initially addressed by California courts in the mid-1990s, was whether ISPs should be treated in the same manner as newspapers or magazines publishing content and, therefore, made potentially liable for copyright infringement, defamation, obscenity and other civil/criminal liability, or as telephone companies which are not liable for the content of the communications they transmit.
Since the seminal 1995 judgment of the District Court of Northern California in the Netcom case, the view in the U.S. has been that an ISP is a passive service provider much like a telephone company and cannot be held liable for the content transmitted through its server. This legal position changed in the U.S. with the passage of the Digital Millenium Copyright Act (DMCA), which provided a “safe harbour” for ISPs, conferring exemption from copyright liability. However, the exemption is subject to the ISP meeting certain conditions. The ISP must not have the actual knowledge that the material is infringing, must not be aware of the facts and circumstances from which the infringing activity is apparent and, in the event of having such knowledge, must act expeditiously to disable such material. In order to avail himself of the exemption from liability, the service provider must also not receive a financial benefit directly attributable to the infringing activity.
The legal position in India is similar to the DMCA in that the exemption from liability is not absolute but is subject to meeting certain conditions. Following the 2008 amendments, Section 79 of the IT Act, 2000 provides that an intermediary will not be held liable for any third party information, data or communication link made available or hosted by him. However, this exemption will apply only if the following conditions are met.
First, the function of the intermediary must be limited to providing access to a communication system over which information made available by third parties is transmitted or temporarily stored or hosted. Second, the intermediary does not initiate the transmission, select the receiver or select/modify the information contained in the transmission. In other words, the ISP acts like a telephone company and not like a newspaper editor who can select or edit the information provided. The exemption will also not be applicable if the ISP has conspired, aided, abetted or induced the commission of the unlawful act; or upon receiving actual knowledge that any information, data or communication link residing in or connected to a computer resource controlled by the intermediary is being used to commit the unlawful act, the intermediary fails to expeditiously remove or disable access to that material. The last two conditions are similar to those imposed under the DMCA in the U.S.
Furthermore, in order to avail himself of the exemption under Section 79, the intermediary must “observe due diligence” while discharging his duties under the IT Act, 2000 and also observe other guidelines which the Central government may prescribe in this behalf. For the first time, since the 2008 amendments came into force, on February 10, 2011, the Ministry of Communications and Information Technology circulated draft rules regarding due diligence by intermediaries (the “Draft Rules”).
Sub-rule (2) of the Draft Rules lists the types of infringing information which should not be transmitted by the intermediary, including information which is 1) abusive, blasphemous, obscene, vulgar etc., 2) infringing of IPRs, 3) sensitive personal information, and 4) information which threatens the unity, security or sovereignty of India. However, sub-rule (2) then tries to add in the offences which are the instruments of modern cyber crime. The list includes any information which impersonates another person, that is, identity theft and deceiving or misleading the addressee about the origin of electronic messages more commonly known as phishing. However, this list comprising identity theft and phishing is entirely inadequate as these are only a few methods of modern cyber crime/war. The list ignores, for example, the installation of a program which allows an attacker to remotely control the targeted computer otherwise known as “BOTNETS.” Another common tool of cyber crime is the use of a software program or a device designed to secretly monitor and log all keystrokes otherwise known as “keyloggers.” However, neither the remote access of a computer nor the secret monitoring of a computer resource is mentioned in sub-rule (2).
The Draft Rules also introduce a definition of “cyber security incident” as any real or suspected adverse event in relation to cyber security that violates an explicitly or implicitly applicable security policy resulting in unauthorised access, denial of service or disruption, unauthorised use of a computer resource for processing or storage of information or changes to data, information without authorisation. In fact, the need to include the concepts of modern cyber crime and a definition as basic and critical as “cyber security incident” in Draft Rules on due diligence by intermediaries shows that there is a fundamental lacuna in the IT Act itself, namely, that it ignores the concepts of modern cyber war altogether and is limited to the outdated concerns of theft of software code through hacking.
The partial attempt to bring in the concepts of modern cyber crime under the purview of the IT Act distracts attention from what is perhaps the main objective of the Draft Rules, that is, to codify the government's position towards service providers such as BlackBerry, Google, Skype, and MSN Hotmail which has recently attracted much attention. Research in Motion (RIM), the Canadian company, which operates BlackBerry, provides its customers with their own encryption key and does not possess a master key. According to RIM, in its system, there is no “back door” through which either RIM or any third party can gain access to the key or the customer's data.
However, the Indian government was concerned that this level of encryption makes it impossible to monitor BlackBerry messages for national security purposes and that BlackBerrry's strong encryption technology could be used for terrorist or criminal activity. As per newspaper reports, on August 31, 2010, the Government of India accepted RIM's proposal for “lawful access by law enforcement agencies” of encrypted BlackBerry data. In December 2010, RIM reportedly provided the government a cloud computing-based system which would enable security agencies to lawfully intercept BlackBerry Messenger (BBM) messages in a comprehensible format but not BlackBerry Enterprise Service, that is, corporate emails.
The Draft Rules incorporate the government's stand vis-à-vis BlackBerry into law because they require an intermediary to provide information to government agencies, which are lawfully authorised for investigative, protective, cyber security or intelligence activity. In sum, the Draft Rules provide the key to the back door long sought after by the government and leave no doubt that security concerns will prevail in law over the interest in privacy through use of encryption by civil society.
