The Hindu Business Line : Extend hacking to cover unauthorised access: Nasscom

IN a bid to check issues relating to data protection and data privacy, the National Association of Software and Service Companies(Nasscom) has suggested amendments to the existing Information Technology (IT) Act, including extending the definition of hacking to cover unauthorised access to a computer system for downloading or copying data.

"We have done an analysis between the Indian legal framework and the framework in the US or the European Union (EU), and identified gaps in Indian laws that deal with issues like hacking and data protection. We feel there is no need for a separate Act, as the IT Act, IPC and Contracts Act, Specific Welfare Act and Consumer Protection Act have adequate provisions to address these issues. It only requires amendments to the IT Act," Mr Sunil Mehta, Vice-President, Nasscom, told Business Line.

According to Nasscom, three aspects that need to be addressed in any regulation on hacking and data are recognising as an offence an unauthorised access to a computer system; unauthorised downloading / copying of data; and accessing any electronic record without the permission of the owner of the data and disseminating the information to another person.

"Section 43 of IT Act relating to penalty for damage to computer system, deals with the issues relating to unauthorised access to computer systems and unauthorised copying and downloading of data," Mr Mehta pointed out. The section talks about imposing penalty on those who, without the permission of the owner of a computer or network, access the system, download or copy any data, introduce computer virus or cause damage to the system.

However, Section 65 of the Act while addressing the issue of tampering with programmes on a system, "does not address tampering of records on a computer system."

"This appears to be put in place with a view to addressing unauthorised changes in computer programmes. If this is, indeed, the case - then we need to figure out how this needs to be extended to unauthorised alteration (modification / deletion ) of a record (described as a piece of information, which resides on the computer system and is used by computer programmes for processing data, but in itself does not trigger any processing) to be included in this," Nasscom said in its analysis.

It said that Section 66 of the IT Act dealing with hacking, only addressed unauthorised access to the computer system where there was an "intent to cause harm." "Theoretically, if a person accesses a computer system in an unauthorised manner and does not do any damage, it would not qualify as hacking. Therefore, a hacker can conceivably access a computer system and download data without it being termed an offence. This would need to be checked out and discussed how to include hacking with the intent to download /copy data."

On the penalty for breach of confidentiality and privacy, Nasscom said that Section 72 of the Act applies only to those persons, who have accessed data or have obtained information, if they disclose the information to a third person.It does not cover an employee who accesses the information (because he is authorised to do so by virtue of his employment) but discloses the information to a third party.