it law 2 - dr p d sebastian

8/9/2019 It Law 2 - Dr p d Sebastian

1/34

1

THE INFORMATION TECHNOLOGY LAW

THE CONCEPT OF NATIONAL SECURITY IN DATA

PROCESSING

INTRODUCTION TO THE INFORMATION TECHNOLOGY LAW

The Origin of Information Technology Act of 2000

Moving bits is cheaper than moving atoms

- Nicholas Negroponte1

Since the beginning of civilization, man has always beenmotivated by the need to better the existing technologies. This has

led to tremendous development and progress. Of all the significant

advances made by mankind till date, probably the most important

is the development of internet. To put it plainly, Internet is a global

network of computers, all of them speaking the same language.

The real power of todays Internet is that it is available to anyone

with a computer and a telephone line. Internet places in an

individuals hands the immense and invaluable power of

information and communication. Internet usage has significantly

increased over the past few years.

The Parliament under Article 253 of the Indian

Constitution relying on the Resolution of the General Assembly of

the United Nations passed Indias first Cyber Law. This saw the

beginning of the Information Technology Bill in the year 1999.

The Information Technology Bill is not an original piece of

legislation. It has been based on the UNICTRAL Model Law on

1Information Technology Law and Practice Cyber Law and E-Commerce Vakul Sharma- Page No. 3


2/34

2

E-Commerce and incorporates within it the important features of

the Model Law.

All the abovementioned and other varied

considerations created a conducive atmosphere for the need forenacting relevant Cyberlaws in India. The Government of India

responded by coming up with the draft of the first Cyberlaw of

India i.e., The Information Technology Bill of 1999. The very

purpose of the Information Technology Bill of 1999 was to provide

the necessary legal and business infrastructure required for

enabling e-commece in India. The proposed Bill purported to

facilitate the coming together of trade and commerce, besides

eliminating barriers coming in the way of electronic-commerce

resulting from the glorious uncertainities relating to writing and

signature requirements over the Internet.

On 17th

May 2000, the Parliament created history when

it passed Indias first Cyber Law aimed at regulating cyberspace,

namely, The Information Technology Act of 2000. It received the

Presidents assent on June 9, 2000 and was implemented on

October 17, 2000. The Information Technology Act of 2000 was

the first amongst a serried of cyber legislations, which India will

require to effectively become a super power in cyberspace. It

provides for a legal infrastructure, aimed at promoting e-commerce

in India.


3/34

3

THE OBJECTIVES OF THE INFORMATION TECHNOLOGY

ACT OF 2000

The objectives of the Information Technology Act of 2000

are defined as hereunder :

1.To provide legal recognition for transactions carried out bymeans of electronic data interchange and other means of

electronic communication, commonly referred to as electronic

commerce, which involve the use of alternatives to paper-based methods of communication and storage of information.

2.To facilitate electronic filing of documents with theGovernment agencies and further amend the Indian Penal Code,

the Indian Evidence Act of 1872, the Bankers Books Evidence

Act of 1891 and the Reserve Bank of India Act of 1934 and for

matters connected therewith or incidental thereto.

Towards the end, the said Act stipulates numerous provisions.

It also aims to provide for a legal framework so that legal

sanctity is accorded to all electronic records and other activities

carried out by electronic means.


4/34

4

DEFINITIONS

For the purpose of knowing the above topic for consideration,

we shall know the important definitions of the terms covered under the

law.

1.DataSection 2 (o) of the Information Technology Act of 2000 defines

the term data means a representation of information, knowledge,

facts, concepts or instructions which are being prepared or have

been processed or has been processed in a computer system orcomputer network, and may be in any form (including computer

printouts magnetic or optical storage media, punched cards,

punched tapes) or stored internally in the memory of the computer.

2.SecurityAccording to Blacks Law Dictionary

2, the term Security means

protection, assurance and indemnification. The term is applied to

an obligation, pledge, mortgage, deposit, lien, etc., given by a

debtor in order to assure the payment or performance of his debt,

by furnishing the creditor with a resource to be used in case of

failure in the principal obligation.

3.Security ProcedureSection 2 (zf) of the Information Technology Act of 2000 defines

the term Security Procedure which means the security procedure

prescribed under Section 16 by the Central Government.

2Page No. 1216


5/34

5

Section 16 of the Information Technology Act of 2000 provides for

Security procedures and practices The Central Government

may, for the purposes of Sections 14 and 15, prescribe the security

procedures and practices. Provided that in prescribing suchsecurity procedures and practices, the Central Government shall

have regard to the commercial circumstances, nature of

transactions and such other related factors as it may consider

appropriate.

4.DataThe term data is defined under Section 3 of the Data Protection

Act of 1998 as information which is processed automatically or

recorded with the intention to process automatically or

- recorded as, or with the intention that it be, part of a manual

"relevant filing system" which is further defined in the Act or

- contained in a health, educational or social services record.

5.ProcessingSection 8 of the Data Protection Act of 1998 defines the term

processing as that which covers all manner of use including

obtaining, recording, holding, altering, retrieving, destroying or

disclosing data.


6/34

6

INTRODUCTION TO THE CONCEPT OF DATA PROTECTION

ACT OF 1998

The statutes relating to data protection set rules for the processing

of personal information which is held on computers. E-mail is yetanother facility for the transmission of data provided by computers and

inevitably will attract the attention of the regulatory framework. The

Data Protection Act of 1998 is by far the most important legislative

measure in this field. The Act came into force on 1st

March 2000. It

repeals the 1984 Act of the same name, though some transitional

provisions mean that processing carried out before 24th

October 1998

will still be subject to the 1984 Act until October 2001. The DataProtection Act of 1998 protects personal data. It is defined as a data

which relates to a living individual who can be identified from the data

and other information which the data controller has, or is likely to have

at some future stage, in his possession.

The Data Protection Act of 1998 is built around 8 principles.

The principles are the bedrock of the legislation and are as follows :

The data must be :

Fairly and lawfully processedProcessed for limited purposesAdequate, relevant and not excessiveAccurateNot kept for longer than is necessaryProcessed in line with your rightsSecure ; andNot transferred to countries without adequate protection.


7/34

7

NATIONAL SECURITY AND DATA PROTECTION

The treatment of data processed for purposes connected with the

national security has been a controversial aspect of the UnitedKingdom system and will be considered in more detail now.

Although, the decision to implement the Directive by means of

primary legislation opened the way to reform of all aspects of the

legislation, the Government have indicated that there is to be no

change in the provisions relating to national security. In respect

of the raft of minor and technical applications exempted under the

Data Protection Act, there seems no doubt that with the exception

of processing for domestic purposes, these will be brought within

the regulatory structure. Unlike the Act, however, the Directive

contains provision for such applications to be exempted from the

requirement of notification3

whilst retaining the obligation to

conform with the substantive requirements of the legislation.

Given that much of the criticism of the present

legislation has centred upon the bureaucratic nature of the

registration process, this might well extend the coverage of the

legislation at marginal cost to the data users affected. Indeed, as

will be discussed, the Directives implementation may offer the

opportunity for radical simplication of the registration process to

the benefit of large numbers of data users. Many aspects of data

protection require the striking of a balance between the competing

interests.

The argument in favour of exempting data held for the purpose

of safeguarding national security can be simply put. Data

3registration


8/34

8

protection attempts to ensure openness and accountability in

respect of data processing. Some forms of processing are,

however, so closely linked to the vital interests of the state that

they require to be undertaken away from the public gaze. In thesesituations the arguments in favour of secrecy outweigh those of

transparency. This claim may be strongly advanced where the

activities in question impinge upon questions of national security.

Although, the Directive excludes national security from

its area of coverage, the United Kingdom legislation is also

intended to comply with the provisions of the Council of Europe

Convention. This instrument recognizes that certain categories of

processing should not be subjected to the full rigours of a data

protection regime providing that :

Derogation from the provisions of Article 5, 6 and 8 of

the Convention shall be allowed when such a derogation is

provided by the law of the party and constitutes a necessary

measure in a democratic society in the interests of. Although, the

Convention provides for special treatment to be afforded to a

variety of informational practices, chiefly lying within the public

sector, it is only in respect of information held for the purposes of

national security that the United Kingdom legislation totally

excludes the application of the Data Protection Act. In respect of

the other areas of activity the said Act provides for limited or

partial exemption from some of its provisions, in particular thoserelating to subject access.


9/34

9

NATIONAL SECURITY IN THE DATA PROTECTION ACT

OF 1998

The Data Protection Act of 1998 essays no definition of thescope of national security. The traditional response of the Prime

Ministers faced with a parliamentary question seeking explanation

as to the scope of national security interests has been on the lines :

This term has been in general use for many years in a variety of

contexts and is generally understood to refer to the safeguarding of

the state and the community against threats to their survival or

well being. I am not aware that any previous Administration has

thought it appropriate to adopt a specific definition of the term.

It has been recently reported that every telex message sent from

the United Kingdom is routinely scanned by the security services.

Under the Data Protection Act of 1998, the provisions any

government minister is empowered to certify conclusively that any

holding of personal data is done for the purpose of safeguarding

national security. In such event, the provisions of the said Act will

have no application. The processing of personal data by the

elusive national security agencies will not be the subject of any

form of notification to the Registrar unless or until some form of

challenge arises.

Whilst the nature of the activities of national securityagencies often requires that their operations be shrouded in a deal

of secrecy the UK appears unusual in the extent to which this

principle is applied. The Lindop Committee recommended that

whilst the subject access provisions should not extend to


10/34

10

information held by a national security agency and, whilst details

of the information practices of these bodies would not appear on

the Data Protection Register, it should be ensured that :

.the DPA has at least one senior official with a security

clearance sufficiently high for him to be able to operate in effect s

a privacy consultant to the Home Office and the security services,

and to work out with them the appropriate rules and safeguards

for their systems.

The compatibility of the Data Protection Acts treatment of

national security with the Conventions requirements may be

queried in two significant respects.

Whether the approach of totally excluding this sector of dataprocessing can be classed as a derogation from the general

provisions ; and

Whether the approach adopted constitutes a necessarymeasure in a democratic society.


11/34

11

CRYPTOGRAPHY, PRIVACY AND NATIONAL SECURITY

CONCERNS

The term cryptography means the mathematical scienceused to secure the confidentiality and authentication of data by

replacing it with a transformed version that can be reconverted to

reveal the original data only by some one holding the proper

cryptographic algorithm and key.4

The term cryptography also

means a discipline that embodies the principles, means, and

methods for transforming data in order to hide its information

content, prevent its undetected modification, and / or prevent its

unauthorized uses.

The term cryptography means a clearly specified

mathematical process for computation, a set of rules that procedure

a prescribed result.

With the development of the Internet into a global market

place, the world has seen a sudden emerged as a lucrative centre

for commercial transactions, it has also grown into an area where

individuals from different corners of the world get to communicate

freely and cost effectively. Communication, speech and expression

constitute some of the basic liberties of individuals to a large

extent. The right to privacy is considered a logical corollary to the

liberty to speak and express oneself. The process of encryption is

like sending a postal mail to another party with a code lock on theenvelope, the code for which is known only to the sender and the

recipient. This has the effect of ensuring total privacy even in an

4A Guide to Information Technology Cyber Laws and E- Commerce : Shakil Ahmed Syed and Rajiv Raheja Page

No. 1.15


12/34

12

open network like the Internet. Encryption involves the use of

secret codes and ciphers to communicate information

electronically from one person to another in such a way that the

persons so communicating know to use the codes and ciphers.The fields of cryptography deals with secret codes and ciphers and

the innovations that occur in the field. It is an art and science of

keeping messages secure. Thus the primary purpose of encryption

and cryptography in ensuring that messages transmitted remain

secure from interference by third parties, with the advent of the

Internet and the boundaries for communication that are thrown

open.

In a landmarking development in this regard would definitely

be the case of P. U. C. L. v/s. Union of India5, where the issue of

telephone tapping of several well known personalities connected

with the field of politics was examined. The facts of this case

have been examined in some detail since they have a direct bearing

upon the issue of Internet privacy versus national security.

Section 5 (2) of the Indian Telegraph Act was challenged

since it allowed the concerned authorities to intercept such mail as

they felt might be necessary in the interests of national

sovereignty, integrity, security, relations with foreign States, public

order or to prevent incitement leading to the commission of an

offence. The judgement delivered by Kuldip Singh, J., took a

broad overview of the development of the right to privacy as aconstitutional rig ht in India and held that telephone tapping was

definitely a move against privacy and, therefore, ought not to do be

5AIR 1978 SC 597


13/34

13

permitted except in the gravest of grave circumstances such as a

public emergency.

The Courts held that the terms such as national security andintegrity are very broad and may be interpreted to suit the purposes

of the executive. The Courts also held that it is evident from a

detailed examination of the Constitutional position and the history

of the right to privacy in India that the right must be made

subservient to the national interest and national security at all

times. Going by the strict terms of the P. U. C. L. Case, it is very

clear that what constitutes national interest is, as yet, not very

clear. For example, if an Internet equivalent of the securities scam

were to take place, the government may still be unable to invade

ones privacy simply by virtue of the fact that an economic

emergency does not constitute a public emergency in the sense

intended by the P. U. C. L. Case.


14/34

14

BREACHES OF SECURITY FOR DATA PROTECTION

The following are number of manners by which losses of dataor information takes place and these are as follows :

Theft of PC and MediaDamage due to breakagesEnvironmental damagesInadvert corruption/lossEnvironmental lossesMalicious damages/leakagesUnauthorized accessModification, erasures, etc.,Computer viruses on-line or off-lineData typing etc.,


15/34

15

NATIONAL SECURITY IN THE ELECTRONIC DATA-

PROCESSING ENVIRONMENT

Society increasingly relies on automated systems to

carry out many essential functions in day-to-day life. If

these systems are to be depended upon, it is essential that the

persons responsible for their operation recognize the

vulnerabilities to which they are subject and take steps to

implement appropriate safeguards. And EDP system can be considered as a group of assets of varying sensitivity

related to the maintenance of tree basic requirements,

confidentiality, integrity and availability. An EDP security,

while a relatively recent discipline, is subject to a variety of

interpretations. Historically, security measures have been

applied to the protection of classified information from the

threat of disclosure in a national security context. Recently,

much attention has been directed to the issue of individual

privacy as it relates to personal information stored in

computerized data systems. Another consideration is that

data integrity is financial, scientific and process controlapplications. The security of computer installations

themselves is of great concern to many organizations, owing

to the significant financial investment involved.


16/34

16

The EDP security is considered to consist of seven

essential components namely the following :

Administrative and Organisational securityAdministrative and Organisational security involves the

overall development of an overall security policy and

the establishment of procedures for its implementation.

Specific security administrative practices will vary

considerably depending on the size and nature of thework performed by an organization.

Personnel SecurityPersonnel Security includes specifying security

requirements in job descriptions and ensuring that

incumbents meet these requirements and are provided

with adequate security motivation and training. It also

involves supervising access to and control over system

resources through appropriate personnel identification

and authorization measures.

Physical SecurityAll EDP facilities should be provided with physical

protection in order to ensure security commensurate


17/34

17

with the sensitivity of the data being processed and the

service being provided. The close relationship between

the physical, environmental and hardware aspects of

EDP security makes coordination between computer

system and traditional security staff essential,

particularly during the planning and design stages of

new systems and facilities.

Communications-electronic securityTelecommunication are almost invariably a

fundamental component of automated systems, and

their use has the effect of extending the geography of

the security concern and of complicating service

availability. As the communication facets multiply, so

do the possibilities of crossed communication between

the lines, misrouting of information and the wire-

tapping of, and monitoring of electromagnetic radiation

from hardware.

Hardware and Software securityHardware security relates to those protective features

implemented through the architectural characteristics of

the data-processing equipment, as well as the support


18/34

18

and control procedures necessary to maintain the

operational integrity of those features.

Operations securityOperations security relates to the policy and produces

that are necessary to ensure that the required operations

capability is always available and that security

exposures within the environment are acceptable. In a

shared systems, the separation of duties concept meansthat no single individual can subvert controls on the

system and the least privilege concept ensures that no

one is granted a capability for which there is no well-

substantiated operational security.

Contingent PlanningContingent Planning is a basic requirement in the EDP

Security program, regardless of the sensitivity of the

information processed or the size of the installation

providing the service. Every EDP system has been

developed to perform some type of service or to fulfill arole. The plans for achieving the goals associated with

that role are, in most instances, based on normal

operating conditions. However, no amount of


19/34

19

precautionary work can preclude the occurrence of

situations that produce unexpected disruptions in

routing operations.


20/34

20

ADOPTION OF SECURITY PROCEDURES AND THE

INFORMATION TECHNOLOGY ACT OF 2000

Information is a valuable commodity. It is valuable, if and onlyif it remains confidential, secure and retains its integrity. Both public

networks6

and private networks7

are open to virus attacks, hacking and

other forms of manipulations. It is thus required that the network

administrators must adopt the best practices to protect the information

technology infrastructure. Managing such information technology

infrastructure is a continuous process and it requires strict adherence to

well-laid down security procedures. Only a secured system leads to

secure transactions. From the users perspective, the Act concerns with

the application of security procedures at the users level. The aim is to

protect the communication8

and not the medium.9

It is for this purpose

the Act talks about secured electronic records

10

and secured digitalsignatures

11by applying appropriate security procedures.

Section 14 of the Information Technology Act of 2000 deals

with Secure Electronic Record. It states that where any security

procedure has been applied to an electronic record at a specific point of

6Intranet

7Intranet, Extranet, VPN, etc.,

8Message

9Information Technology Infrastructure

10Section 14

11Section 15


21/34

21

time, then such record shall be deemed to be a secure electronic record

from such point of time to the time of verification.

Section 15 of the Information Technology Act of 2000 dealswith Secure Digital Signature. It states that if by application of a

security procedure agreed to by the parties concerned, it can be verified

that a digital signature, at the time it was affixed, was unique to the

subscriber affixing it, capable of identifying such subscriber and created

in a manner or using a means under the exclusive control of the

subscriber and is linked to the electronic record to which it relates in

such a manner that if the electronic record was altered the digital

signature would be invalidated, then such digital signature shall be

deemed to be a secure digital signature.

Section 16 of the Information Technology Act of 2000 deals

with Security procedure. This provisions states that the Central

Government shall for the purposes of this Act, prescribe the security

procedure having regard to commercial circumstances prevailing at the

time when the procedure was used, including

The nature of the transaction.The level of sophistication of the parties with reference to their

technological capacity

The volume of similar transactions engaged in by other partiesThe availability of alternative offered to but rejected by any party


22/34

22

The cost of alternative procedures ; andThe procedures in general use for similar types of transactions or

communications.


23/34

23

CONCLUSION

To conclude, both the Information Technology Act of 2000

and the Data Protection Act of 1998 are apt legislations which deal

with issues relating to National Security in Data Processing. The

Law in India has been generous enough to promote more national

security to the datas stored in the internet world. But even with

stringent laws, people who adore the internet world give way for

corrupt computer practices which should be specially dealt with

separately. Criminals and terrorists are using encryption and otheradvanced technologies to hide their activities. Indications are that

use of these technologies will continue and expand, with a growing

impact on law enforcement. Efforts to decrypt data for law

enforcement agencies or corporations in need of recovering from

lost keys have been largely successful because of weaknesses in

the systems as a whole. As the population becomes better

educated about information and technology, more and more

criminals will have the knowledge and skills needed to evade law

enforcement, particularly given the ease with which unbreakable,

user-friendly software can be distributed and obtained on the

Internet. National Policy must recognize not only the threat to lawenforcement and intelligence operations, but also the need to

protect the intellectual property and economic competitiveness of


24/34

24

industry. As rightly put forward by Issac Goldberg, I quote the

following :

Diplomacy is to do and say / the nastiest things in the nicest way.

Any act done with the rules and regulation in mind is legal in

framework.


25/34

25

BIBLIOGRAPHY

1.Information Technology Laws R. K. Suri, Parag Diwanand Shammi Kapoor (2000 Edition)

2.E-mail, the Internet and the Law Tim Kevan and PaulMcGrath (2007 Edition)

3.Cyber Crimes and Law V. D. Dudeja (2002 Edition)4.Law Relating to Computers, Internet and E-Commerce

Nandan Kamath (2006 Edition)5.Blacks Law Dictionary (5th Edition)6.Information Technology Law and Practice : Cyber Law

and E-Commerce Vakul Sharma


26/34

26

LIST OF BARE ACTS

1.Bare Act of the Information Technology Act of 20002.Bare Act of the Data Protection Act of 1998


27/34

27

LIST OF MANUALS REFERRED

International Review of Criminal Policy A United Nations Manual

on the Prevention and Control of Computer-Related Crime.


28/34

28

LIST OF CASES WITH CITATIONS

P. U. C. L. v/s. Union of India - AIR 1978 SC 597


29/34

29

ABBREVIATIONS

1.No. Number2. i.e., - that is3.PUCL Peoples Union for Civil Liberties4.EDP Electronic Data Processing5.PC Personal Computer6.SC Supreme Court7.AIR All India Reporter8.DPA Data Processing Register


30/34

30

LIST OF AUHORITIES

The Honourable Supreme Court of India


31/34

31

LIST OF PROVISIONS OF VARIOUS LAWS

1.Article 5 of the Indian Constitution2.Article 6 of the Indian Constitution3.Article 8 of the Indian Constitution4.Article 253 of the Indian Constitution5.Section 2 (o) of the Information Technology Act of 20006.Section 2 (zf) of the Information Technology Act of 20007.Section 14 of the Information Technology Act of 20008.Section 15 of the Information Technology Act of 20009.Section 16 of the Information Technology Act of 200010. Section 3 of the Data Protection Act of 199811. Section 8 of the Data Protection Act of 1998


32/34

32

LIST OF EMINENT EXPERTS ON IT LAW

1.Justice Kuladip Singh2.Nicolas Negroponte


33/34

33

INTERNET SOURCES

1.www.informationtechnologylaw.com2.www.dataprotectionlaw.com


34/34

OTHER SOURCE OF INFORMATION

Lectures delivered on the topic by Dr. P. D. Sebastian Senior Faculty

of SDM Law College and Centre for Post Graduate in Law, Mangalore

it law 2 - dr p d sebastian

Documents