it law 2 - dr p d sebastian
TRANSCRIPT
-
8/9/2019 It Law 2 - Dr p d Sebastian
1/34
1
THE INFORMATION TECHNOLOGY LAW
THE CONCEPT OF NATIONAL SECURITY IN DATA
PROCESSING
INTRODUCTION TO THE INFORMATION TECHNOLOGY LAW
The Origin of Information Technology Act of 2000
Moving bits is cheaper than moving atoms
- Nicholas Negroponte1
Since the beginning of civilization, man has always beenmotivated by the need to better the existing technologies. This has
led to tremendous development and progress. Of all the significant
advances made by mankind till date, probably the most important
is the development of internet. To put it plainly, Internet is a global
network of computers, all of them speaking the same language.
The real power of todays Internet is that it is available to anyone
with a computer and a telephone line. Internet places in an
individuals hands the immense and invaluable power of
information and communication. Internet usage has significantly
increased over the past few years.
The Parliament under Article 253 of the Indian
Constitution relying on the Resolution of the General Assembly of
the United Nations passed Indias first Cyber Law. This saw the
beginning of the Information Technology Bill in the year 1999.
The Information Technology Bill is not an original piece of
legislation. It has been based on the UNICTRAL Model Law on
1Information Technology Law and Practice Cyber Law and E-Commerce Vakul Sharma- Page No. 3
-
8/9/2019 It Law 2 - Dr p d Sebastian
2/34
2
E-Commerce and incorporates within it the important features of
the Model Law.
All the abovementioned and other varied
considerations created a conducive atmosphere for the need forenacting relevant Cyberlaws in India. The Government of India
responded by coming up with the draft of the first Cyberlaw of
India i.e., The Information Technology Bill of 1999. The very
purpose of the Information Technology Bill of 1999 was to provide
the necessary legal and business infrastructure required for
enabling e-commece in India. The proposed Bill purported to
facilitate the coming together of trade and commerce, besides
eliminating barriers coming in the way of electronic-commerce
resulting from the glorious uncertainities relating to writing and
signature requirements over the Internet.
On 17th
May 2000, the Parliament created history when
it passed Indias first Cyber Law aimed at regulating cyberspace,
namely, The Information Technology Act of 2000. It received the
Presidents assent on June 9, 2000 and was implemented on
October 17, 2000. The Information Technology Act of 2000 was
the first amongst a serried of cyber legislations, which India will
require to effectively become a super power in cyberspace. It
provides for a legal infrastructure, aimed at promoting e-commerce
in India.
-
8/9/2019 It Law 2 - Dr p d Sebastian
3/34
3
THE OBJECTIVES OF THE INFORMATION TECHNOLOGY
ACT OF 2000
The objectives of the Information Technology Act of 2000
are defined as hereunder :
1.To provide legal recognition for transactions carried out bymeans of electronic data interchange and other means of
electronic communication, commonly referred to as electronic
commerce, which involve the use of alternatives to paper-based methods of communication and storage of information.
2.To facilitate electronic filing of documents with theGovernment agencies and further amend the Indian Penal Code,
the Indian Evidence Act of 1872, the Bankers Books Evidence
Act of 1891 and the Reserve Bank of India Act of 1934 and for
matters connected therewith or incidental thereto.
Towards the end, the said Act stipulates numerous provisions.
It also aims to provide for a legal framework so that legal
sanctity is accorded to all electronic records and other activities
carried out by electronic means.
-
8/9/2019 It Law 2 - Dr p d Sebastian
4/34
4
DEFINITIONS
For the purpose of knowing the above topic for consideration,
we shall know the important definitions of the terms covered under the
law.
1.DataSection 2 (o) of the Information Technology Act of 2000 defines
the term data means a representation of information, knowledge,
facts, concepts or instructions which are being prepared or have
been processed or has been processed in a computer system orcomputer network, and may be in any form (including computer
printouts magnetic or optical storage media, punched cards,
punched tapes) or stored internally in the memory of the computer.
2.SecurityAccording to Blacks Law Dictionary
2, the term Security means
protection, assurance and indemnification. The term is applied to
an obligation, pledge, mortgage, deposit, lien, etc., given by a
debtor in order to assure the payment or performance of his debt,
by furnishing the creditor with a resource to be used in case of
failure in the principal obligation.
3.Security ProcedureSection 2 (zf) of the Information Technology Act of 2000 defines
the term Security Procedure which means the security procedure
prescribed under Section 16 by the Central Government.
2Page No. 1216
-
8/9/2019 It Law 2 - Dr p d Sebastian
5/34
5
Section 16 of the Information Technology Act of 2000 provides for
Security procedures and practices The Central Government
may, for the purposes of Sections 14 and 15, prescribe the security
procedures and practices. Provided that in prescribing suchsecurity procedures and practices, the Central Government shall
have regard to the commercial circumstances, nature of
transactions and such other related factors as it may consider
appropriate.
4.DataThe term data is defined under Section 3 of the Data Protection
Act of 1998 as information which is processed automatically or
recorded with the intention to process automatically or
- recorded as, or with the intention that it be, part of a manual
"relevant filing system" which is further defined in the Act or
- contained in a health, educational or social services record.
5.ProcessingSection 8 of the Data Protection Act of 1998 defines the term
processing as that which covers all manner of use including
obtaining, recording, holding, altering, retrieving, destroying or
disclosing data.
-
8/9/2019 It Law 2 - Dr p d Sebastian
6/34
6
INTRODUCTION TO THE CONCEPT OF DATA PROTECTION
ACT OF 1998
The statutes relating to data protection set rules for the processing
of personal information which is held on computers. E-mail is yetanother facility for the transmission of data provided by computers and
inevitably will attract the attention of the regulatory framework. The
Data Protection Act of 1998 is by far the most important legislative
measure in this field. The Act came into force on 1st
March 2000. It
repeals the 1984 Act of the same name, though some transitional
provisions mean that processing carried out before 24th
October 1998
will still be subject to the 1984 Act until October 2001. The DataProtection Act of 1998 protects personal data. It is defined as a data
which relates to a living individual who can be identified from the data
and other information which the data controller has, or is likely to have
at some future stage, in his possession.
The Data Protection Act of 1998 is built around 8 principles.
The principles are the bedrock of the legislation and are as follows :
The data must be :
Fairly and lawfully processedProcessed for limited purposesAdequate, relevant and not excessiveAccurateNot kept for longer than is necessaryProcessed in line with your rightsSecure ; andNot transferred to countries without adequate protection.
-
8/9/2019 It Law 2 - Dr p d Sebastian
7/34
7
NATIONAL SECURITY AND DATA PROTECTION
The treatment of data processed for purposes connected with the
national security has been a controversial aspect of the UnitedKingdom system and will be considered in more detail now.
Although, the decision to implement the Directive by means of
primary legislation opened the way to reform of all aspects of the
legislation, the Government have indicated that there is to be no
change in the provisions relating to national security. In respect
of the raft of minor and technical applications exempted under the
Data Protection Act, there seems no doubt that with the exception
of processing for domestic purposes, these will be brought within
the regulatory structure. Unlike the Act, however, the Directive
contains provision for such applications to be exempted from the
requirement of notification3
whilst retaining the obligation to
conform with the substantive requirements of the legislation.
Given that much of the criticism of the present
legislation has centred upon the bureaucratic nature of the
registration process, this might well extend the coverage of the
legislation at marginal cost to the data users affected. Indeed, as
will be discussed, the Directives implementation may offer the
opportunity for radical simplication of the registration process to
the benefit of large numbers of data users. Many aspects of data
protection require the striking of a balance between the competing
interests.
The argument in favour of exempting data held for the purpose
of safeguarding national security can be simply put. Data
3registration
-
8/9/2019 It Law 2 - Dr p d Sebastian
8/34
8
protection attempts to ensure openness and accountability in
respect of data processing. Some forms of processing are,
however, so closely linked to the vital interests of the state that
they require to be undertaken away from the public gaze. In thesesituations the arguments in favour of secrecy outweigh those of
transparency. This claim may be strongly advanced where the
activities in question impinge upon questions of national security.
Although, the Directive excludes national security from
its area of coverage, the United Kingdom legislation is also
intended to comply with the provisions of the Council of Europe
Convention. This instrument recognizes that certain categories of
processing should not be subjected to the full rigours of a data
protection regime providing that :
Derogation from the provisions of Article 5, 6 and 8 of
the Convention shall be allowed when such a derogation is
provided by the law of the party and constitutes a necessary
measure in a democratic society in the interests of. Although, the
Convention provides for special treatment to be afforded to a
variety of informational practices, chiefly lying within the public
sector, it is only in respect of information held for the purposes of
national security that the United Kingdom legislation totally
excludes the application of the Data Protection Act. In respect of
the other areas of activity the said Act provides for limited or
partial exemption from some of its provisions, in particular thoserelating to subject access.
-
8/9/2019 It Law 2 - Dr p d Sebastian
9/34
9
NATIONAL SECURITY IN THE DATA PROTECTION ACT
OF 1998
The Data Protection Act of 1998 essays no definition of thescope of national security. The traditional response of the Prime
Ministers faced with a parliamentary question seeking explanation
as to the scope of national security interests has been on the lines :
This term has been in general use for many years in a variety of
contexts and is generally understood to refer to the safeguarding of
the state and the community against threats to their survival or
well being. I am not aware that any previous Administration has
thought it appropriate to adopt a specific definition of the term.
It has been recently reported that every telex message sent from
the United Kingdom is routinely scanned by the security services.
Under the Data Protection Act of 1998, the provisions any
government minister is empowered to certify conclusively that any
holding of personal data is done for the purpose of safeguarding
national security. In such event, the provisions of the said Act will
have no application. The processing of personal data by the
elusive national security agencies will not be the subject of any
form of notification to the Registrar unless or until some form of
challenge arises.
Whilst the nature of the activities of national securityagencies often requires that their operations be shrouded in a deal
of secrecy the UK appears unusual in the extent to which this
principle is applied. The Lindop Committee recommended that
whilst the subject access provisions should not extend to
-
8/9/2019 It Law 2 - Dr p d Sebastian
10/34
10
information held by a national security agency and, whilst details
of the information practices of these bodies would not appear on
the Data Protection Register, it should be ensured that :
.the DPA has at least one senior official with a security
clearance sufficiently high for him to be able to operate in effect s
a privacy consultant to the Home Office and the security services,
and to work out with them the appropriate rules and safeguards
for their systems.
The compatibility of the Data Protection Acts treatment of
national security with the Conventions requirements may be
queried in two significant respects.
Whether the approach of totally excluding this sector of dataprocessing can be classed as a derogation from the general
provisions ; and
Whether the approach adopted constitutes a necessarymeasure in a democratic society.
-
8/9/2019 It Law 2 - Dr p d Sebastian
11/34
11
CRYPTOGRAPHY, PRIVACY AND NATIONAL SECURITY
CONCERNS
The term cryptography means the mathematical scienceused to secure the confidentiality and authentication of data by
replacing it with a transformed version that can be reconverted to
reveal the original data only by some one holding the proper
cryptographic algorithm and key.4
The term cryptography also
means a discipline that embodies the principles, means, and
methods for transforming data in order to hide its information
content, prevent its undetected modification, and / or prevent its
unauthorized uses.
The term cryptography means a clearly specified
mathematical process for computation, a set of rules that procedure
a prescribed result.
With the development of the Internet into a global market
place, the world has seen a sudden emerged as a lucrative centre
for commercial transactions, it has also grown into an area where
individuals from different corners of the world get to communicate
freely and cost effectively. Communication, speech and expression
constitute some of the basic liberties of individuals to a large
extent. The right to privacy is considered a logical corollary to the
liberty to speak and express oneself. The process of encryption is
like sending a postal mail to another party with a code lock on theenvelope, the code for which is known only to the sender and the
recipient. This has the effect of ensuring total privacy even in an
4A Guide to Information Technology Cyber Laws and E- Commerce : Shakil Ahmed Syed and Rajiv Raheja Page
No. 1.15
-
8/9/2019 It Law 2 - Dr p d Sebastian
12/34
12
open network like the Internet. Encryption involves the use of
secret codes and ciphers to communicate information
electronically from one person to another in such a way that the
persons so communicating know to use the codes and ciphers.The fields of cryptography deals with secret codes and ciphers and
the innovations that occur in the field. It is an art and science of
keeping messages secure. Thus the primary purpose of encryption
and cryptography in ensuring that messages transmitted remain
secure from interference by third parties, with the advent of the
Internet and the boundaries for communication that are thrown
open.
In a landmarking development in this regard would definitely
be the case of P. U. C. L. v/s. Union of India5, where the issue of
telephone tapping of several well known personalities connected
with the field of politics was examined. The facts of this case
have been examined in some detail since they have a direct bearing
upon the issue of Internet privacy versus national security.
Section 5 (2) of the Indian Telegraph Act was challenged
since it allowed the concerned authorities to intercept such mail as
they felt might be necessary in the interests of national
sovereignty, integrity, security, relations with foreign States, public
order or to prevent incitement leading to the commission of an
offence. The judgement delivered by Kuldip Singh, J., took a
broad overview of the development of the right to privacy as aconstitutional rig ht in India and held that telephone tapping was
definitely a move against privacy and, therefore, ought not to do be
5AIR 1978 SC 597
-
8/9/2019 It Law 2 - Dr p d Sebastian
13/34
13
permitted except in the gravest of grave circumstances such as a
public emergency.
The Courts held that the terms such as national security andintegrity are very broad and may be interpreted to suit the purposes
of the executive. The Courts also held that it is evident from a
detailed examination of the Constitutional position and the history
of the right to privacy in India that the right must be made
subservient to the national interest and national security at all
times. Going by the strict terms of the P. U. C. L. Case, it is very
clear that what constitutes national interest is, as yet, not very
clear. For example, if an Internet equivalent of the securities scam
were to take place, the government may still be unable to invade
ones privacy simply by virtue of the fact that an economic
emergency does not constitute a public emergency in the sense
intended by the P. U. C. L. Case.
-
8/9/2019 It Law 2 - Dr p d Sebastian
14/34
14
BREACHES OF SECURITY FOR DATA PROTECTION
The following are number of manners by which losses of dataor information takes place and these are as follows :
Theft of PC and MediaDamage due to breakagesEnvironmental damagesInadvert corruption/lossEnvironmental lossesMalicious damages/leakagesUnauthorized accessModification, erasures, etc.,Computer viruses on-line or off-lineData typing etc.,
-
8/9/2019 It Law 2 - Dr p d Sebastian
15/34
15
NATIONAL SECURITY IN THE ELECTRONIC DATA-
PROCESSING ENVIRONMENT
Society increasingly relies on automated systems to
carry out many essential functions in day-to-day life. If
these systems are to be depended upon, it is essential that the
persons responsible for their operation recognize the
vulnerabilities to which they are subject and take steps to
implement appropriate safeguards. And EDP system can be considered as a group of assets of varying sensitivity
related to the maintenance of tree basic requirements,
confidentiality, integrity and availability. An EDP security,
while a relatively recent discipline, is subject to a variety of
interpretations. Historically, security measures have been
applied to the protection of classified information from the
threat of disclosure in a national security context. Recently,
much attention has been directed to the issue of individual
privacy as it relates to personal information stored in
computerized data systems. Another consideration is that
data integrity is financial, scientific and process controlapplications. The security of computer installations
themselves is of great concern to many organizations, owing
to the significant financial investment involved.
-
8/9/2019 It Law 2 - Dr p d Sebastian
16/34
16
The EDP security is considered to consist of seven
essential components namely the following :
Administrative and Organisational securityAdministrative and Organisational security involves the
overall development of an overall security policy and
the establishment of procedures for its implementation.
Specific security administrative practices will vary
considerably depending on the size and nature of thework performed by an organization.
Personnel SecurityPersonnel Security includes specifying security
requirements in job descriptions and ensuring that
incumbents meet these requirements and are provided
with adequate security motivation and training. It also
involves supervising access to and control over system
resources through appropriate personnel identification
and authorization measures.
Physical SecurityAll EDP facilities should be provided with physical
protection in order to ensure security commensurate
-
8/9/2019 It Law 2 - Dr p d Sebastian
17/34
17
with the sensitivity of the data being processed and the
service being provided. The close relationship between
the physical, environmental and hardware aspects of
EDP security makes coordination between computer
system and traditional security staff essential,
particularly during the planning and design stages of
new systems and facilities.
Communications-electronic securityTelecommunication are almost invariably a
fundamental component of automated systems, and
their use has the effect of extending the geography of
the security concern and of complicating service
availability. As the communication facets multiply, so
do the possibilities of crossed communication between
the lines, misrouting of information and the wire-
tapping of, and monitoring of electromagnetic radiation
from hardware.
Hardware and Software securityHardware security relates to those protective features
implemented through the architectural characteristics of
the data-processing equipment, as well as the support
-
8/9/2019 It Law 2 - Dr p d Sebastian
18/34
18
and control procedures necessary to maintain the
operational integrity of those features.
Operations securityOperations security relates to the policy and produces
that are necessary to ensure that the required operations
capability is always available and that security
exposures within the environment are acceptable. In a
shared systems, the separation of duties concept meansthat no single individual can subvert controls on the
system and the least privilege concept ensures that no
one is granted a capability for which there is no well-
substantiated operational security.
Contingent PlanningContingent Planning is a basic requirement in the EDP
Security program, regardless of the sensitivity of the
information processed or the size of the installation
providing the service. Every EDP system has been
developed to perform some type of service or to fulfill arole. The plans for achieving the goals associated with
that role are, in most instances, based on normal
operating conditions. However, no amount of
-
8/9/2019 It Law 2 - Dr p d Sebastian
19/34
19
precautionary work can preclude the occurrence of
situations that produce unexpected disruptions in
routing operations.
-
8/9/2019 It Law 2 - Dr p d Sebastian
20/34
20
ADOPTION OF SECURITY PROCEDURES AND THE
INFORMATION TECHNOLOGY ACT OF 2000
Information is a valuable commodity. It is valuable, if and onlyif it remains confidential, secure and retains its integrity. Both public
networks6
and private networks7
are open to virus attacks, hacking and
other forms of manipulations. It is thus required that the network
administrators must adopt the best practices to protect the information
technology infrastructure. Managing such information technology
infrastructure is a continuous process and it requires strict adherence to
well-laid down security procedures. Only a secured system leads to
secure transactions. From the users perspective, the Act concerns with
the application of security procedures at the users level. The aim is to
protect the communication8
and not the medium.9
It is for this purpose
the Act talks about secured electronic records
10
and secured digitalsignatures
11by applying appropriate security procedures.
Section 14 of the Information Technology Act of 2000 deals
with Secure Electronic Record. It states that where any security
procedure has been applied to an electronic record at a specific point of
6Intranet
7Intranet, Extranet, VPN, etc.,
8Message
9Information Technology Infrastructure
10Section 14
11Section 15
-
8/9/2019 It Law 2 - Dr p d Sebastian
21/34
21
time, then such record shall be deemed to be a secure electronic record
from such point of time to the time of verification.
Section 15 of the Information Technology Act of 2000 dealswith Secure Digital Signature. It states that if by application of a
security procedure agreed to by the parties concerned, it can be verified
that a digital signature, at the time it was affixed, was unique to the
subscriber affixing it, capable of identifying such subscriber and created
in a manner or using a means under the exclusive control of the
subscriber and is linked to the electronic record to which it relates in
such a manner that if the electronic record was altered the digital
signature would be invalidated, then such digital signature shall be
deemed to be a secure digital signature.
Section 16 of the Information Technology Act of 2000 deals
with Security procedure. This provisions states that the Central
Government shall for the purposes of this Act, prescribe the security
procedure having regard to commercial circumstances prevailing at the
time when the procedure was used, including
The nature of the transaction.The level of sophistication of the parties with reference to their
technological capacity
The volume of similar transactions engaged in by other partiesThe availability of alternative offered to but rejected by any party
-
8/9/2019 It Law 2 - Dr p d Sebastian
22/34
22
The cost of alternative procedures ; andThe procedures in general use for similar types of transactions or
communications.
-
8/9/2019 It Law 2 - Dr p d Sebastian
23/34
23
CONCLUSION
To conclude, both the Information Technology Act of 2000
and the Data Protection Act of 1998 are apt legislations which deal
with issues relating to National Security in Data Processing. The
Law in India has been generous enough to promote more national
security to the datas stored in the internet world. But even with
stringent laws, people who adore the internet world give way for
corrupt computer practices which should be specially dealt with
separately. Criminals and terrorists are using encryption and otheradvanced technologies to hide their activities. Indications are that
use of these technologies will continue and expand, with a growing
impact on law enforcement. Efforts to decrypt data for law
enforcement agencies or corporations in need of recovering from
lost keys have been largely successful because of weaknesses in
the systems as a whole. As the population becomes better
educated about information and technology, more and more
criminals will have the knowledge and skills needed to evade law
enforcement, particularly given the ease with which unbreakable,
user-friendly software can be distributed and obtained on the
Internet. National Policy must recognize not only the threat to lawenforcement and intelligence operations, but also the need to
protect the intellectual property and economic competitiveness of
-
8/9/2019 It Law 2 - Dr p d Sebastian
24/34
24
industry. As rightly put forward by Issac Goldberg, I quote the
following :
Diplomacy is to do and say / the nastiest things in the nicest way.
Any act done with the rules and regulation in mind is legal in
framework.
-
8/9/2019 It Law 2 - Dr p d Sebastian
25/34
25
BIBLIOGRAPHY
1.Information Technology Laws R. K. Suri, Parag Diwanand Shammi Kapoor (2000 Edition)
2.E-mail, the Internet and the Law Tim Kevan and PaulMcGrath (2007 Edition)
3.Cyber Crimes and Law V. D. Dudeja (2002 Edition)4.Law Relating to Computers, Internet and E-Commerce
Nandan Kamath (2006 Edition)5.Blacks Law Dictionary (5th Edition)6.Information Technology Law and Practice : Cyber Law
and E-Commerce Vakul Sharma
-
8/9/2019 It Law 2 - Dr p d Sebastian
26/34
26
LIST OF BARE ACTS
1.Bare Act of the Information Technology Act of 20002.Bare Act of the Data Protection Act of 1998
-
8/9/2019 It Law 2 - Dr p d Sebastian
27/34
27
LIST OF MANUALS REFERRED
International Review of Criminal Policy A United Nations Manual
on the Prevention and Control of Computer-Related Crime.
-
8/9/2019 It Law 2 - Dr p d Sebastian
28/34
28
LIST OF CASES WITH CITATIONS
P. U. C. L. v/s. Union of India - AIR 1978 SC 597
-
8/9/2019 It Law 2 - Dr p d Sebastian
29/34
29
ABBREVIATIONS
1.No. Number2. i.e., - that is3.PUCL Peoples Union for Civil Liberties4.EDP Electronic Data Processing5.PC Personal Computer6.SC Supreme Court7.AIR All India Reporter8.DPA Data Processing Register
-
8/9/2019 It Law 2 - Dr p d Sebastian
30/34
30
LIST OF AUHORITIES
The Honourable Supreme Court of India
-
8/9/2019 It Law 2 - Dr p d Sebastian
31/34
31
LIST OF PROVISIONS OF VARIOUS LAWS
1.Article 5 of the Indian Constitution2.Article 6 of the Indian Constitution3.Article 8 of the Indian Constitution4.Article 253 of the Indian Constitution5.Section 2 (o) of the Information Technology Act of 20006.Section 2 (zf) of the Information Technology Act of 20007.Section 14 of the Information Technology Act of 20008.Section 15 of the Information Technology Act of 20009.Section 16 of the Information Technology Act of 200010. Section 3 of the Data Protection Act of 199811. Section 8 of the Data Protection Act of 1998
-
8/9/2019 It Law 2 - Dr p d Sebastian
32/34
32
LIST OF EMINENT EXPERTS ON IT LAW
1.Justice Kuladip Singh2.Nicolas Negroponte
-
8/9/2019 It Law 2 - Dr p d Sebastian
33/34
33
INTERNET SOURCES
1.www.informationtechnologylaw.com2.www.dataprotectionlaw.com
-
8/9/2019 It Law 2 - Dr p d Sebastian
34/34
OTHER SOURCE OF INFORMATION
Lectures delivered on the topic by Dr. P. D. Sebastian Senior Faculty
of SDM Law College and Centre for Post Graduate in Law, Mangalore