NOVEMBER 20, 2015

By M G Kodandaram

The quest

SEARCHING a person is a lot easier these days as the mobile device one carries could reveal the location without much difficulty. A criminal could be detected at a short notice if he uses such electronic gadget, which is a cause for worry to a fraudster. The law breakers are scared of using mobile devices as these are equivalents of radio collars used to track the movements of wild animals. Similarly, a fraudster using e-mail etc., for nefarious activities, with an intention to commit a crime such as phishing, stacking and similar crimes could also be spotted and arrested. Thanks to the technological advents, the investigating officers are happy as the criminals could be trapped very easily. The criminals in these instances may use pseudonymous or anonymous identities, but still they can be located and their crimes could be forensically established /proved as required under law.The requisite investigation procedures could be conducted at a faster pace as these instruments will never tell a lie. This has helped the victims of cyber crime as the perpetrators of such crimes could be identified and brought to justice on time.

But my present search of 'person' is none of the above. It is about the 'cyber law' and its flawed interpretation by an adjudicator that has enabled the identified perpetrator of such cyber crime to remain unpunished for long, as they are not the 'persons 'liable for penal measures awarded under law. In view of this situation, they escape the penalties or payment of damages to the victims or trial by courts inspite of committing such crimes. This has made the victims of cyber crimes in Karnataka suffer huge financial losses and agonies,as they find that the judicial and executive systems inherited are in capable of bringing the issue to its legal and logical conclusion within a reasonable time. The ensuing facts reveal the worsening conditions, as the victims are denied the timely remedy despite the existence of law,which is working relatively fine in other states of our country. This is a humble effort to find out: Who is the 'person' that is mentioned in IT Act (cyber law)? How to remedy / prevent the recurrence of such protracted litigation in this situation?

Virtual World - now a reality

The invention of computer and its fusion with telecommunication innovations, popularly known as Internet and Communication Technology (ICT), has resulted in the emergence of the fifth public common, in addition to the existing global commons viz., sea, land, air and space for the usage by the citizens, who are now called as 'netizens'. The Computer's (including the Computer Systems and Computer networks- CCSCN for brevity) usage in day-to-day communication, administration and commerce has broken all the boundaries of the physical world & created a borderless, virtual world of its own. Added to this, the explosion in the use of wireless technology coupled with mobile communication and related technology, being the hand held device, has opened up a new era wherein any one can get instant access to the virtual cyber world, without any hurdle, restriction or delay. Now the ICT and mobile services with the added facility of cloud computing has acquired huge proportion because of its ability to be used by anyone, anywhere, without much investment in infrastructure, time & money. This cyber space has changed the living pattern of present day cyber society. The ability to access, communicate & interact with each other as well as with every other person, and the readily available 'knowledge & information base' at a press of a button, the feasibility to do all the commercial and social activities, including complying with the statutory duties & rights, has revolutionized the way a netizen has to subsist to withstand the changed circumstances.

No doubt all these are great utilities, but unfortunately they come along with higher risks that exist in the physical environment. If these are not properly handled, it may cause irreparable damage to the very fabric of the peaceful society. Every Technological development has its own uses and abuses. In this virtual network society, if proper security measures to protect CCSCN are not taken, the chances of misuse are very high. Also the anonymity of the person using network whose physical jurisdiction could be anywhere complicates the matter. There is need of legislation and periodical review of such laws in force so as to overcome the challenges faced in the cyber environment. Proper enforcement and effective mechanism for timely redressal of disputes that may arise out of such digital transactions are equally essential for successful management of this dynamic society.

Indian cyber laws

In India, cyber laws are enacted through the Information Technology Act, 2000 that came into force on October 17, 2000, which was further strengthened by IT(Amendment) Act, 2008 with effect from October27,2009 (hereinafter referred to as 'IT Act' or 'cyber laws' for brevity). The above laws are based on the Model Law of the United Nations Commission on International Trade Law (UNCITRAL). It is always believed that a uniform law results in uniform interpretation and uniform enforcement without giving room for litigation, but the facts detailed hereunder clearly establish that such a conclusion is only a myth.

One of the main purposes and objectives of the IT Act is to grant legal recognition for all the transactions carried out by means of electronic data interchange and other means of electronic communication, commonly referred to as "electronic commerce", in place of paper based methods of communication, with a vision to facilitate the electronic fund transfers between the various users. The cyberspace continues to grow with increased internet penetration as the financial transactions through banks, credit cards payment etc., use this technology. At the same time these networks also are used by the criminals to commit crimes. Cyber crimes in the normal parlance are defined as any activity in which computers or networks are a tool, a target or both, or a place of criminal activity. They are computer mediated activities which are either illegal or considered illicit and which can be conducted through global electronic networks. Unless these criminal activities are controlled, the cyber space becomes a haven for such criminals, but becomes disastrous for a rule abiding Netizen.

Civil remedies for cyber crimes

To protect a person from such crimes, the IT Act provides for civil remedies as well as the criminal remedies to such victims for any violations of legal provisions framed thereunder. In chapter IX of the IT act, under heading 'penalties, compensation and adjudication', the activities that are treated as violations as well as the entire process of adjudication procedures to be followed by the executive in discharging the civil remedies are stipulated. Among them the relevant section for our present discussion is the section 43 of IT Act, wherein penalties and compensation for damages are prescribed. In cases where any person , without permission of the owner or any other person who is in charge of a CCSCN,carries out certain listed activities such as access, download, copy, disruption etc, then such person in addition to imposition of penalty shall be liable to pay damages by way of compensation to the person so affected. The amounts of compensation/damages payable are left to the reasoned discretion of the adjudicating authority or the appropriate court, depending upon the facts of each case.

As per the section 46 of IT Act, the State IT Secretary of respective state is the officer empowered to adjudicate matters in respect of contraventions to the Chapter IX of the Act if the matters in which the claim for injury or damage does not exceed Rs. 5 crores. For the injury or damage exceeding Rs 5 crores, such powers are vested with the competent court. The adjudicating officer has the powers equivalent to a Civil Court to conduct proceedings under the Act. The above legal position makes it abundantly clear that there is no upper financial limitation prescribed for determination and awards in cases of claim for injury or damage. Therefore all the persons including the 'body corporate' engaged in handling computer data and resources by means of IT or IT related industries should adhere to the reasonable security practices and procedures as regards to handling the "Sensitive personal data or information", as any failure may cause a huge financial dent.

The relevant parts of the section for our discussions areas follows: "Section 43. Penalty and Compensation for damage to computer, computer system, etc. - If any person without permission of the owner or any other person who is in charge of a computer, computer system or computer network, -

(a) Accesses or secures access to such computer, computer system or computer network or computer resource;(b)to (j)… he shall be liable to pay damages by way of compensation to the person so affected".

For reasons unknown the term"Person"has not been specifically defined either in the Act or in the section, which has lead to this precarious situation. When a term is not defined in the Act, the normal recourse as well as legally pertinent method is to resort to the definition of such word as available in The General Clauses Act, 1897. As per the General Clauses Act, 1897, "Person shall include any company or association or body of individuals, whether incorporated or not" and, therefore, violations by a company or association or body of individuals are covered under the above section. Such persons are the ones protected if they are victims, or awarded punishments for any act or omission on their part if they are perpetrators of crime. But the adjudicating officer of Karnataka in the present cases interpreted the term 'person' to mean an"only an individual" but does not include a "corporate"which has caused the ensuing embarrassment and undue suffering to the victims of cyber frauds. Fortunately, the IT Act provides for suitable remedy to a person aggrieved of the above order, with a right to file an appeal in the Cyber Appellate Tribunal (CAT for short) established under section 48 of the Act. But the matter of disappointment is that the CAT is not functioning in India since 2011 to dispense remedy to the victims duly promised under cyber law.

Quest for 'person'

The details of the cases wherein such extraneous interpretation has been made to decide the matter are as under:

Case 1 : A complaint bearing no 015/2011 during 2011was filed by Mr . Rajendra Kumar Yadav, seeking compensation by way of damages from M/s ICICI bank, as the bank had contravened the provisions of section 43 of IT Act, causing loss of over four lakhs. The gist of the complaint are that, from the SB account maintained by the complainant in ICICI bank with facility of internet banking an amount of Rs. 4,14,122 was found to be withdrawn in a fraudulent manner by some unknown persons using fake identities. Soon after it came to the knowledge, the victim has filed a complaint with the bank as well as the police who have taken up the investigations and the connected criminal proceedings that follows. In the mean while so as to seek immediate civil remedy as provided under section 43 of the IT Act, the victim filed a complaint with the adjudicator of Karnataka, claiming damages to the tune of Rs. 9, 37,510.

The contention of the complainant is that the electronic space which was accessed / used to inflict loss was owned and controlled by the respondent bank, which has powers to grant access to any person and, therefore, has to own up responsibility for any unauthorised access to the account of the client. In their objection the bank questioned the maintainability and jurisdiction of the adjudicating officer to entertain a complaint and argued that the provisions of section 43 are not applicable to them as they are 'body corporate' and not 'individual person' referred to under that section. After considering the submissions, the adjudicator vide order dated 17.01.2012 upheld the contention of the bank and declared that the respondent is not a 'person 'as referred in section 43 of IT Act , thereby denied the legal remedy available to the complainant /victim.

Case 2 : In another instance, M/S Gujarat Petrosynthese Ltd, (GPL) a company having a current account with a branch of Axis bank,  during 2011, noticed that Rs 39 lakhs vanished from its account. On filing a complaint with the bank as well as with the Police, it was found that the said amount had been transferred to several other branches of Axis bank and other banks. M/s GPL filed a complaint bearing no 017/2011 under section 43 with the adjudicator of Karnataka praying that Axis bank and the other banks who have received the proceeds transferred from their account should compensate for the loss as they have allowed unauthorised access to the perpetrators of the crime. The Axis bank objected to the filing of the complaint stating that the adjudicator does not have jurisdiction to entertain the complaint under section 43 of IT Act for the reason that under section 43, any "Person" can file a complaint against another "Person"; that the word "Person" means an "Individual"; that the complainant is 'not an individual' as GPL is a corporate body; that the complaint is against Axis bank or several other banks who are also 'not individual persons' and, therefore, the provisions of section 43 are not applicable. The adjudicating officer vide order dated 27.12.2011agreed with the contention of Axis bank and passed orders holding that the complaint cannot be entertained since 'the complainant is a corporate entity and the complaint is against a corporate body'. By the above two decisions, the adjudicator created a precedent that section 43 cannot be invoked by a Company against any Company to seek civil remedies under cyber laws.

Challenges caused

It is pertinent to note that violationlisted under section 43 covers almost all cyber activities arising out of unauthorized access, unauthorized downloading, virus introduction, causing damage or denial of service, assisting another person to contravene, charging a service to another person, credit card frauds and any wrongful action involving modification, deletion of data or diminishing in the value of information residing inside a computer etc. These are treated as offences under section 66 of IT Act that could be considered for prosecution, being a criminal remedy, in addition to civil remedy. The section 66 reads as under:

"Section 66. Computer Related Offences. - If any person, dishonestly, or fraudulently, does any act referred to in section 43, he shall be punishable with imprisonment for a term which may extend to three years or with fine which may extend to 5 lakh rupees or with both".

As a consequence of the decisions cited above, section 66 cannot be invoked by any company or against any company as the provisions of section 43 become inapplicable to a company. In other words there is no scope to launch prosecution against any company involving in such crimes and this results in a situation wherein the substantial part of IT Act turns out to be irrelevant for the corporate sector.

Therefore GPL made a request with the adjudicating authority immediately seeking review of its decision dated December 27, 2011. The request was kept pending without any response by the adjudicator for the reasons not made known. In the absence of a review of the said order no cyber crime victim in Karnataka could approach the adjudicator for remedy under section 43. As per section 61 of IT Act the adjudicator has the sole jurisdiction for any claim for damages upto Rs 5 crores and, therefore, the civil Judiciary refused to entertain any complaints. This resulted in creation of a void in Karnataka's cyber judicial system. Further the victims were put in a precarious situation wherein as they waited for the review by the adjudicator, they did not want to lose their right of appeal to the Cyber Appellate Tribunal (CAT for short), registered applications for appeal with CAT within the permitted time. It is a fact that the CAT is not functional since June 2011 and further more it is painful to mention here that the Tribunal is not functional even today . The CAT is yet to consider all such applications.The appeals filed by the aggrieved parties from all over India against the orders of the adjudicators are piling up at the CAT, awaiting disposal. The apathy shown by executive as well as the judiciary in not appointing Members has resulted in the huge backlog of appeals at the Tribunal.

On seeing the plight of cyber victims in the state, the Karnataka Human Rights Commission during March 2013, took  suo-moto cognisance of the adverse effect of the lack of cyber judicial process in the state, issued a notice to IT Secretary to set the matters right by resuming the adjudication process stipulated under cyber laws. The IT Secretary, who is the adjudicator as per IT Act, sought opinion of the legal department, who favoured recalling of the defective orders. Accordingly, the adjudicator, without hearing the parties concerned, vide no ITD 17 PRM 2011 dated 26 April 2013, recalled the earlier order dated 27.12.2011(in respect of GPL and Axis bank), and reopened the case for fresh hearing by fixing the date as15.05.2013.

The Axis bank, questioning the legal validity of the act of the Revenue Secretary to recall the orders in force without giving them an opportunity, approached the High Court of Karnataka (HC for brevity) against the adjudicator vide writ petition 21049/2013, seeking cancellation of the order dated 26 April 2013for restarting the hearing. The Court issued notices to the respondents namely the adjudicator and the GPL for hearing and routinely approved the request for interim stay. On the basis of the petition which was pending admission at the HC, the Axis bank requested the adjudicator to stop the hearings till the petition is disposed of. The HC vide order dated 5.6.2013 allowed the petition with observations that since the impugned order dated 26.04.2013is passed without a notice to the petitioner and without hearing, the order cannot be sustained as it is in violation of principles of natural justice. Accordingly the HC quashed the review order of the adjudicator dated 26.04.2013.

The court without taking into cognisance the defective interpretation in the original order dated December 27, 2011 and the unfair situation the cyber victims of Karnataka are made to face due to such extraneous interpretation by the adjudicator, went on to hold as follows: "The question as to whether the adjudication officer can recall his order is also a question needs to be considered. Be as it may, this court doesn't wish to enter into that question at this stage, in as much as, the matter can be disposed of on a short point. Since the impugned order is passed without notice to the petitioner, and without hearing it, the same cannot be sustained in as much as the same is in violation of principles of natural justice. Accordingly, the impugned order stands quashed. It is open for the second respondent to pursue appeal no 1/2012 filed by it before the appellate authority as per law".

The prolonged and painful wait

The facts narrated above indicate that the High Court had come to a decision on a "short point" without taking into consideration the impact of such decision on the unfortunate cyber victims. Further, the Court did not stop at quashing the order dated 26.04. 2013 of the adjudicator, but went ahead to suggest GPL (the second respondent) to approach CAT for redressal of its grievance though this did not appear to have been prayed for by them. The HC was aware of the fact that CAT was not functional during the relevant time, but still went ahead to advise the victim to seek redressal in CAT. These facts indicate that there was no fair course of action suggested by the HC resulting further persecution of the victims. In view of the HC directions, the adjudication order dated 27th Dec, 2011 regained a larger jurisdictional precedence across the country and prevented the adjudicators from taking up any complaint either by a company or against a company to provide civil remedy as provided under cyber laws, which has resulted in prolonged sufferings to such victims in Karnataka.

The Plight of cyber crime victims in Karnataka was earlier explained to me by Mr. Na. Vijayashankar, popularly known as 'naavi', an information assurance consultant who is fighting for restoration of the rights of such victims, in a conference held at NSLIU during 2012. With a fond hope that the situation might have been sorted out, I recently spoke to him on the issue, but to my astonishment I am disappointed to find that there is little improvement in the situation, all due to lethargic approach by the executive. The adjudication process as well as the non-functioning appellate forum (CAT) needs to be set right immediately, so that the cyber victims in Karnataka are able to get justice under the IT Act,on par with the justice available to the victims in other States. It is unfortunate that though the IT Act extends relief to all the cyber victims across India,but the Act has created snag only to the victims in Karnataka.

The legal remedy

From the above narration, it is clear that the existing plight of the cyber victims in Karnataka are due to the following reasons:

1. Poor drafting of cyber law- the term 'Person' is not specifically defined in the Act. 'Person' should have been defined to include everyone engaged in cyber related activities to be covered for violations and reliefs under the Act.

2. The designated adjudicating authority has failed to understand the manner of interpretation of statutes to be adopted in legal proceedings.

3. The CAT is not functional and, therefore, failing to provide suitable appellate remedy to the aggrieved.

4.  The Judicial system has resorted to routine manner to dispose of the case as against providing fair justice under the prevailing circumstances.

Therefore, the remedies available are:

1. Make the CAT fully functional immediately so that all the appeals filed since 2011 are disposed of on priority in a fair manner.

2. Educate and train all the adjudicating officers in the department of communication about cyber laws and the necessary procedures to be followed during quasi-judicial proceedings.

3. Amend the cyber law appropriately to incorporate a definition for 'person' "under the law to include"- (i) an individual, (ii) a Hindu undivided family, (iii) a company, (iv) a society, (v) a limited liability partnership, (vi) a firm, (vii) an association of persons or body of individuals, whether incorporated or not, (viii) Government, (ix) a local authority, or (x) every artificial juridical person, not falling within any of the preceding sub-clauses;

While our Government is embracing Digital India as a vision by propagating e-solutions and offeringe-services as a tool of least governance to its citizens, it is felt appropriate to have a 'fair and working executive and judicial mechanism' in place for addressing the grievances arising out of such cyber services as stipulated under IT Act on priority. Then alone, people will be able to reap the benefits of Digital India.

(The author is a Faculty at the National Academy of Customs Excise and Narcotics(NACEN), Bengaluru and the views expressed are strictly personal.)