Cyber Crime and Intermediary Liability

By Amber Gupta, Head Legal Birla Sun Life Insurance Company Limited

content-image

Amber Gupta, Head Legal Birla Sun Life Insurance Company Limited

The Informational Technology Act as amended by Infor­mation Technology (Amendment) Act 2008 [“IT Act”] and rules issued there under is the prin­cipal legislation which deals with the issues cyber crimes and cyber secu­rity and liability of intermediaries in India.

What are Cyber Crimes?
Cyber crimes are basically crimes which are committed using computer or computer resources. This includes unauthorised access to computer systems, data alternation, data destruction, identity theft and intellectual property violation in virtual world.

"The function of the Intermediary is limited to providing access to a communication system over which information made available by third parties is transmitted or temporarily stored"

Understanding the Nature of Cyber Crimes?
Cyber Crimes can be classified in two broad categories:

• Computer Assisted Cyber Crimes
• Computer Oriented Cyber Crimes

Computer Assisted Cyber Crimes:
SPAM, Phishing, identity theft, credit card fraud, Intellectual property violation on online space, pornography, unauthorised access are typical examples of Computer Assisted Cyber Crimes. Here computer is instrumental in committing the crime.

Computer Oriented Cyber Crimes:
Use of malicious software, trojan, spyware, cyber terrorism, worm are typical examples of computer oriented cyber crimes. Here computer is the target of the crime.

Intermediary Liability
Section 79 as amended by the IT (Amendment) Act 2008 provides with certain safe harbour provisions to the liability of Intermediaries. Section 2(w) of the IT Act 2000 defines Intermediary as:

“With respect to any particular electronic records means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service provides, internet service providers, web-hosting service providers, search engine, online payment sites, online-auction sites, online market places and cyber cafes”

As per amended Section 79 of the IT Act an Intermediary shall not be liable for any third party information, data or communication link made available or hosted by them, if:

• The function of the Intermediary is limited to providing access to a communication system over which information made available by third parties is transmitted or temporarily stored.
• The Intermediary does not initiate the transmission or select the receiver of the transmission, and select or modify the information contained in the transmission.
• The Intermediary observes due diligence while discharging its duties and also observes such other guidelines as the Central Government may prescribe in this behalf.

The Intermediary shall loose the above immunity if the Intermediary is found to have conspired or abetted or aided or induced in the commission of the unlawful act or fails to expeditiously remove or disable the access to that material or link residing in or connected to a computer resource controlled by the Intermediary which is being used to commit the unlawful act.

The Information Technology (Intermediaries guidelines) Rules, 2011
The Central Government has also notified The Information Technology (Intermediaries guidelines) Rules, 2011. These rules provide the guidelines and procedure to be dealt by Intermediaries as part of the due diligence and administration of take down procedure which are summarized here under

Publish Rules and Terms & Conditions
The Intermediary is required to publish the rules and regulations, privacy policy and user agreement for access or usage of the Intermediary's computer resource by any person. Such terms and conditions shall inform the users of computer resource not to host, display, upload, modify, publish, transmit, update or share any information that:

• Belongs to another person and to which the user does not have any right to;
• Is grossly harmful, harassing, blasphemous defamatory, obscene, pornographic, paedophilic, libellous, invasive of another's privacy, hateful, or racially, ethnically objectionable, disparaging, relating or encouraging money laundering or gambling, or otherwise unlawful in any manner whatever;
• Harm minors in any way;
• Infringes any patent, trademark, copyright or other proprietary rights;
• Violates any law for the time being in force;
• Deceives or misleads the addressee about the origin of such messages or communicates any information which is grossly offensive or menacing in nature;
• Impersonate another person;
• Contains software viruses or any other computer code, files or programs designed to interrupt, destroy or limit the functionality of any computer resource
• Threatens the unity, integrity, defence, security or sovereignty of India, friendly relations with foreign states, or public order or causes incitement to the commission of any cognizable offence or prevents investigation of any offence or is insulting any other nation.

Take Down Obligation
The Intermediary shall not ‘knowingly’ host or publish any information or shall not initiate the transmission, select the receiver of transmission, and select or modify the information contained in the transmission. The Intermediary is required to disable such information that is in contravention of above, within 36 hrs of knowing. Intermediary shall also preserve such information and associated records for at least 90 for investigation purposes.

Right to Terminate
The Intermediary shall have the right to immediately terminate the access or usage of the users to the computer resource of Intermediary in case of non compliance with rules and regulations, user agreement and privacy policy.

Obligation to Report and Provide Information
The Intermediary shall be required to report cyber security incidents and also share cyber security incidents related information with the Indian Computer Emergency Response Team.

Reasonable Measures
The Intermediary shall at time follow reasonable security practices and procedures as prescribed in the Information Technology (Reasonable security practices and procedures and sensitive personal Information) Rules, 2011.

Grievance Officer
Intermediary is required to appoint a Grievance Officer for notification of complaints which should be resolved within one month from the date of receipt of complaint.

Current Issue