[sbinews] Legal aspects of the Indian cyberporn case (Whose fault is it anyway?) - BusinessLine

  • From: "Rajendra S. Pai" <rs.pai@xxxxxxxxx>
  • To: <sbinews@xxxxxxxxxxxxx>
  • Date: Thu, 13 Jan 2005 10:13:04 +0530

Whose fault is it anyway?

Kripa Raman
The Business Line
Published on January 10, 2005

THE dust kicked up by the drama may have settled down, but not the questions
it has thrown up. Yes, we are talking of the recent arrest of Avnish Bajaj,
Chief Executive Officer of Internet auction portal baazee.com, a subsidiary
of the US-based eBay.  Bajaj was held after an advertisement for sale of
pornographic material appeared on the auction site. He was released on bail
subsequently.  But the issue has stirred hot debate in the technology, legal
and security circles in the country regarding the laws that regulate

In the Baazee case, a video clip of a sexual encounter between two school
students, (shot on a mobile phone) made its way into the hands of an IIT
student. He put up an advertisement on Baazee.com, offering to sell the
video clip. Several sales of the clip took place. The CEO of Baazee, Avnish
Bajaj - an India-born US citizen- was arrested under section 67 of the IT
Act 2000 (on which India has often patted itself on its back for being a
pioneer).  This section prohibits the transmission of obscene material in
electronic form, prescribing imprisonment of up to five years for

Now, can Bajaj be held responsible when his Web site is not a content Web
site so much as a `service provider' kind of site? Can he be held
responsible when the student who put up the advertisement, would have agreed
to the terms and conditions (which address the issue of pornography) by
clicking on the `I agree' column before putting up his sale announcement on

The sign's the thing?

Isn't the crime the student's, ask technology and legal professionals. But
the police argued in court that there was no physical signature made by the
student agreeing to the terms and conditions.  And this precisely is what
worries lawyers - that an electronic, as against a written agreement, is not
seen as an enforceable contract.  This threatens e-commerce itself and
undermines the purpose of the IT Act , says advocate N.S. Nappinai.  "The IT
Act was primarily meant to enable e-commerce and not for tackling
cybercrime. It was for acceptance of electronic record."

Her concern is on the interpretation of the law. "The concern of clients has
been this - does it mean all my (Internet) transactions are wrong? It
negates the whole purpose of the Act which was intended to validate
e-commerce."  A petition by Mahesh Murthy, CEO of Passion Fund India, which
has invested in many e-commerce companies, says the arrest raises far wider
implications that can affect the entire Internet-based business in India and
elsewhere too.  "By rejecting the admissibility of the paperless version of
terms of service and insisting on an ink-on-paper signature for legal
status, the entire legality of the e-commerce business in India is called to
question," he says.

"This is ironic, for the largest e-commerce operation in not just India but
South Asia is the Indian Railways' online ticket-selling business - a
government-owned and run operation - which does business worth Rs 18 crore a
month." Non-acceptance of electronic agreements would imply a lack of legal
standing for all the online ticket sales by the Railways too.  There has to
be a level playing field legally when it comes to real life and the virtual
world, argues Nappinai, who like many other legal professionals, says the IT
Act needs fine-tuning. "You have to distinguish between civil responsibility
and criminal responsibility, and the IT Act does not make the distinction.
Criminal responsibility is on a different footing altogether," she says.

The law does not talk about vicarious liability, and the industry and legal
fraternity should sit down and address these issues. "Otherwise every person
hosting a Web site could become liable for anything that may happen."
Section 79 of the IT Act, under certain conditions, does not hold the
network service provider liable for third party information. "No network
service provider shall be liable under this Act... for any third party
information or data made available by him if he proves that the offence or
contravention was committed without his knowledge or that he had exercised
due diligence to prevent the commission of such offence."

However, even this requires fine-tuning. As senior legal experts point out,
this puts the onus of proving innocence on the network service provider;
whereas in general law, the onus is on the prosecution to prove that the
accused is guilty.  To this extent the IT Act is retrograde, they say, and
needs to be polished up. "Even on the Internet, the law of the land must be
applicable," says Sailesh Haribhakti, accounting expert.

There is a provision concerning pornography in the Indian Penal Code. But -
to take analogous situations - would the municipal commissioner be arrested
for sale of pornographic material on municipal roads; would a landlord be
arrested for a crime committed by a tenant of his on his premises, asks
Harish Mehta, co-Chairman, IT Cell of the Indian Merchants Chamber.  Was the
telecom service provider held responsible for the original smutting MMS
created and transmitted by the Delhi school student through? Or, would
Hotmail or Yahoo be held responsible for pornographic spam?

And Baazee is not a content provider that would have to take primary
responsibility for the content, he says.  The other problem is the term `due
diligence' which is open to misinterpretation, especially by law enforcement
agencies that are not savvy with technology, and needs to be spelt out
clearly, say experts.  The case has opened the industry's eyes to even
larger concerns. "We are not making a judgement on the Baazee case; all we
are saying is that when technological glitches happen, or when technology
cannot be monitored, who takes the responsibility for it?" says Mehta.

"We must develop systems for this," says Haribhakti.  "Nobody will disagree
that something should be done and that somebody should be responsible. But
what are the systems we have for assigning of responsibility when it comes
to technology issues? We are in the early stage of making people singly
responsible."  Forget pornography or one-to-one crimes and thefts happening
through the Internet. What if a large transaction portal were to give way or
be hacked into, who takes up the responsibility for the enormous losses or
exploitation that could happen during that time?

The creation of a system would at least create a hierarchy of accountability
when it comes to technology issues.  Just as there is the Sarbanes-Oxley Act
in the US under which the CEO and CFO personally undertake responsibility in
the matter of financial audits, there are Information Systems (IS) audits
too for which the CEO, CFO and Chief Information Officer would take up the
responsibility, says Joy Anthony, who heads PCS' consultancy practice.

The Reserve Bank of India has already made IS audits compulsory for banks
and financial institutions in India. For this there are experts who are
Certified Information Systems Auditors (CISA); the Information Systems Audit
and Control Association (ISACA) provides the certification.  According to
Venugopal Iyengar, who oversees the audit practice at Tata Consultancy
Services and is also vice-president of the ISACA Mumbai chapter, there are
2,000 CISA professionals in the country today.

And, he says, SEBI has set up a task force in conjunction with ISACA's
Indian chapter, to make IS audits mandatory for the rest of Indian industry
too. The task force will bring out its recommendations in six months.
Currently, non-financial companies have to conduct financial audit alone,
while banks and financial institutions go for IS audits too.  In the
non-banking sector, multinationals and companies such as TCS, which has
clients abroad, already do IS audits voluntarily, he says.  "Anyone who has
a Web presence should do this audit, any organisation which uses IT must put
in place its IT policy and evaluate it frequently," he says. The RBI itself
has got its Web site audited and tested by PCS, says Anthony.

"And the risk assessment is done every quarter to see how vulnerable the
site is to hacking or other risks, what would be the monetary losses and how
much must be invested to mitigate the risk."

Once IS audits are made mandatory, IS auditors and the chief information
officer of a company will have to send a report to the management,
explicitly stating that the audit is effective; and the CEO and CFO will
have to sign that too.

But once this becomes mandatory, the demand for people who do these audits -
CISA professionals and CISSP (Certified information systems security
professional) and the rest - will increase dramatically.

The problem is that for smaller companies an IS audit could get very
expensive, disproportionate to their revenues and profits, says Iyengar of
ISACA.  For CISA professionals, maintaining one's CISA qualification itself
is an expensive proposition; it could cost $ 1,500 per year to maintain
one's certification, apart from other certifications, which the
professionals usually hold.  The result is that most of them end up going
abroad for audit assignments where they could earn up to $200 per hour. In
fact the big four in India as well as the IT majors already have these
practices going.

Will India have enough people to implement IS audits? Maybe more people will
qualify once the demand rises, feels Anthony.  There is another task force
consisting of Nasscom members, industry bodies and legal experts who are
working towards evolving a cyber law similar to that of criminal procedure
code, say lawyers. This is in the wake of the Baazee episode. The Baazee
episode will eventually see a drastic overhaul of the entire Indian legal
system pertaining to the Web, say lawyers.

This message is intended only for the use of the Addressee and may contain 
information that is PRIVILEGED and CONFIDENTIAL. If you are not the intended 
recipient, please erase all copies of the message and its attachments.  Any 
unauthorized access, usage, reproduction, disclosure of the contents of the 
mail and its attachments, without the explicit permission of the Bank is 
prohibited and State Bank Of India (SBI) or any of its officials, including the 
sender of this mail, would not in any way be liable for the same. SBI accepts 
no liability for any damage caused by this e-mail.
Email From ""Rajendra S. Pai" <rs.pai@xxxxxxxxx>" was security checked by 3.93  
version of CxProtect(tm)
On: sify_mta at: 11:20:40, 13-Jan-2005 Thursday
Mailing list (sbinews@xxxxxxxxxxxxx) related information:

News/articles about SBI and Banking related matters published  in the print 
media, Internet etc will be circulated through this Mailing List. 

The messages in this list will help in improving awareness of SBI and its 
activities vis-a-vis the happenings in the Banking industry. This should be of 
help to all staff members of SBI, particularly those who are preparing for 
promotional written tests/interviews/group discussions. Subscription to this 
Mailing List is simple and FREE. Please check the procedure below. Please share 
this information with other colleagues/branches that could be interested in 
subscribing to this Mailing List. 

The messages circulated here should not be deemed to have the official 
endorsement of the SBI or any of its employees. The correct factual position 
may be ascertained from official sources. 

To join this mailing list, just send an email to sbinews-request@xxxxxxxxxxxxx 
with the word 'subscribe' without the quotes in the subject of the email 

To leave this mailing list, just send an email to sbinews-request@xxxxxxxxxxxxx 
with the word  'unsubscribe' without the quotes in the subject of the email 

Archives (old messages) are available for viewing at:
Click on the month-year at the lower left corner to view messages posted during 
that month. 

This is an announcements/newsletter type mailing list i.e. only the Moderator/s 
can post messages to the list. 

This mailing list is maintained and moderated by Sri. R.S.Pai, currently 
working as Chief Manager(IT-Internet Banking), SBI, Corporate Centre, Mumbai. 
Visit http://rspai.tripod.com for some useful Banking, Reference and Utilities 

Other related posts:

  • » [sbinews] Legal aspects of the Indian cyberporn case (Whose fault is it anyway?) - BusinessLine