In theÂ past several years, there have been many instances in India where Cyber Cafes have been used either for real or false terrorist communication. Several Cyber Crimes including stealing of bank passwords and subsequent fraudulent withdrawal of money have also happened through Cyber Cafes. Cyber Cafes have also been used regularly for sending of obscene mails to harass people. In view of these, Cyber Cafes have been considered as one of the key intermediaries which need to be regulated.
In order to regulate Cyber Cafes, several States had passed regulations some under ITA 2000 and some under the State Police Act. Now, The Information Technology Amendment Act 2008 has made many significant changes in the prevailing laws of cyber space applicable in India, one of which is regarding Cyber Cafes.
ITA 2000 had not defined Cyber Cafes and one had to interpret them as “Network Service Providers” referred to under the erstwhile Section 79 which imposed on them a responsibility for “Due Diligence” failing which they would be liable for the offences committed in their network. The concept of “Due Diligence” was interpreted from the various provisions in Cyber Cafe regulations where available or under the normal responsibilities expected from network service providers.Â
The New Act (To be effective after notification) after amendments which we refer as ITA 2008 has however provided a specific definition for the term “Cyber Cafe” and also included them under the term “Intermediaries”. Several aspects of the act therefore become applicable to Cyber Cafes and there is a need to take a fresh look at what Cyber Cafes are expected to do for Cyber Law Compliance.
Â Firstly, according to Section 2(na) of ITA 2008, “Cyber cafe” means any facility from where access to the internet is offered by any person in the ordinary course of business to the members of the public. This definition is an improvement of what was earlier proposed by the Expert Committee and the first draft of ITAA 2006 which had several anomalies.
This definition may however conflict with the definitions given under the current regulations passed by various States. For example, the Karnataka regulations for Cyber Cafes define a Cyber Cafe as: “Any premises where the Cyber Cafe Owner/Network Service Provider provides the computer services including internet access to the public”.
According to TN regulations, a “Browsing Center” means and includes “any establishment by what so ever name called where the general public have an access to Internet in any of its forms, protocols either on payment or free of charges for any purpose including recreation or amusement” It also says..” a browsing center shall be deemed to be a public place as defined under Sec-3 of Tamil Nadu City Police 1888″.
In the Karnataka definition, any “Network Service Provider” providing “Computer Services” may be called the “Cyber Cafe”. In the TN definition, any Kiosks in say Airport or a Railway Station where free Internet access is given to public may also qualify as a Cyber Cafe. The TN rules require registration of Cyber Cafes and both impose responsibilities such as maintenance of visitor’s register, verification of photo ID etc.
The Karnataka regulation was notified under Section 90 of ITA 2000 while the TN act was notified under the State police act. Now that ITA 2000 has been amended, the provisions under Karnataka Cyber Cafe regulation may have to be considered as in fructuous while there may a question mark on the validity of TN regulations. Mumbai, Maharashtra and Gujarat who also have some state level regulations may also be in a state similar to that of TN.
Section 2(w) of ITA 2008 further states that the definition of “Intermediaries” includes “Cyber Cafes”. The regulations for Intermediaries therefore apply to Cyber Cafes after ITA 2008 becomes effective.
As per Section 67(C) of ITA 2008,Â an Â Intermediary is expected to preserve and retain such information as may be specified for such duration and in such manner and format as the Central Government may prescribeÂ and on failure to do so he mayÂ be punished with an imprisonment for a term which may extend to three years and shall also be liable to fine.
Thus the responsibility of Cyber Cafes has now been clearly defined with a three year imprisonment which is also cognizable, bailable and compoundable.
Additionally, three important sections have been added to the present Act according to which the Government has the powers to intercept, monitor, block, and collect traffic data. These sections impose certain responsibilities on the intermediaries and make non compliance punishable. These regulations also apply to Cyber Cafes.
For example, under Section 69 (modified version),Â the central Government or a State Government or any of its officer specially authorized by the Central Government or the State Government, as the case may be, direct any agency of the appropriate Government to intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any information transmitted received or stored through any computer resource.Â The Procedure and safeguards subject to which such interception or monitoring or decryption may be carried out, willÂ be prescribed and if the intermediary fails to assist the agency, Â he may be punished with an imprisonment for a term which may extend to seven years and shall also be liable to fine.
The important points to be noted in this section as well as the two other sections 69A and 69 BÂ are
a) These powers are available to both the Central and State Governments who can specially authorize an officer for the purpose.
b) It can be invoked even for preventing incitement to the commission of any cognizable offence. It is debatable whether the term “Cognizable offence” has to be restricted to ITA 2008 only or can be extended to IPC or other laws as well.
c) Government shall prescribe necessary safeguards to be followed by Intermediaries.
d) The powers include demanding of information stored in a computer e) Non compliance may result in stiff penalty of imprisonment upto 7 years.
Under Section 69 A, the Central Government or any of its officer specially authorized by it in this behalfÂ mayÂ direct any agency of the Government or intermediary to block access by the public. Â The intermediary who fails to comply with the direction issued under sub-section (1) shall be punished with an imprisonment for a term which may extend to seven years and also be liable to fine. This section provides for blocking of websites in any case where prevention of a cognizable offence. This can take care of blocking of websites which may host pornographic content which is an offence under sections 67, 67A and 67 B of ITA 2008.
Under Section 69 B, the Government now will have powers to collect “Traffic data” and also seek online access to information in the hands of an intermediary. The IntermediaryÂ who intentionally or knowingly contravenes the provisions may be punished with an imprisonment for a term which may extend to three years and shall also be liable to fine.
Under this section, Government can force Cyber Cafes to follow safeguards specified and also demand online access if required.
The sections 69, 69A and 69B specifically vest the powers in an agency to be designated. It has deliberately avoided the use of the term “Police”. The legislative intent is therefore indicative that Police need not be the agency to exercise the powers under these sections.
There is of course a serious concern in the public that the powers under these sections may be misused. Naavi.org has been suggesting that we need to set up an agency called “Netizen’s Rights Commission” on the lines of the Human Rights Commission which can have the powers to receive the complaints, investigate and recommend prosecution of abuse of the powers under the sections 69,69A and 69B.
In the event any State Government would like to assume powers under these sections and also provide the benefits of the powers to the Police, it would be advisable for the State Government to set up a “State Netizen’s Rights Commission” and subject the Police to the scrutiny of the commission or set up a separate non-police agency such as a “State Cyber Security Authority” and then vest the powers in such an authority.
In the meantime, if the Central Government also notifies an agency for the purpose of exercising the authority under Sections 69, 69A and 69B and provides it with pan national jurisdiction, then there may be a conflict of jurisdiction such as what we today have between the State Police and the CBI.
There is an expectation that the Indian Computer Emergency Team referred to under Section 70 B of ITA2008 may itself be designated as the agency of the Central Government with a national jurisdiction and CERT-In the present division of MCIT may itself be stepping into the shoes of the Indian Computer Emergency Team.
Considering that there are thousands of Cyber Cafes all over India, in the event a Central agency takes up the responsibility for monitoring Cyber Cafes, there may be a need for an “All India Cyber Cafe Monitoring Authority” exclusively to meet the requirements of Cyber Cafe regulations. [More details on the amendments is available at www.naavi.org)