• Investment World
• eWorld
• Catalyst
• Mentor
• Life
• Canvas
• Praxis
• Urban Pulse
• Brand Quest

Kripa Raman

If your tenant committed a crime on your premises, and the cops knocked on your door, you wouldn't like it. Does the logic hold good in cyberspace too? eWorld tracks the controversy trails in the wake of the baazee episode...

THE dust kicked up by the drama may have settled down, but not the questions it has thrown up. Yes, we are talking of the recent arrest of Avnish Bajaj, Chief Executive Officer of Internet auction portal baazee.com, a subsidiary of the US-based eBay.

Bajaj was held after an advertisement for sale of pornographic material appeared on the auction site. He was released on bail subsequently.

But the issue has stirred hot debate in the technology, legal and security circles in the country regarding the laws that regulate cyberspace.

In the Baazee case, a video clip of a sexual encounter between two school students, (shot on a mobile phone) made its way into the hands of an IIT student. He put up an advertisement on Baazee.com, offering to sell the video clip. Several sales of the clip took place. The CEO of Baazee, Avnish Bajaj — an India-born US citizen— was arrested under section 67 of the IT Act 2000 (on which India has often patted itself on its back for being a pioneer).

This section prohibits the transmission of obscene material in electronic form, prescribing imprisonment of up to five years for violations.

Now, can Bajaj be held responsible when his Web site is not a content Web site so much as a `service provider' kind of site? Can he be held responsible when the student who put up the advertisement, would have agreed to the terms and conditions (which address the issue of pornography) by clicking on the `I agree' column before putting up his sale announcement on Baazee?

The sign's the thing?

Isn't the crime the student's, ask technology and legal professionals. But the police argued in court that there was no physical signature made by the student agreeing to the terms and conditions.

And this precisely is what worries lawyers — that an electronic, as against a written agreement, is not seen as an enforceable contract.

This threatens e-commerce itself and undermines the purpose of the IT Act , says advocate N.S. Nappinai.

"The IT Act was primarily meant to enable e-commerce and not for tackling cybercrime. It was for acceptance of electronic record."

Her concern is on the interpretation of the law. "The concern of clients has been this — does it mean all my (Internet) transactions are wrong? It negates the whole purpose of the Act which was intended to validate e-commerce."

A petition by Mahesh Murthy, CEO of Passion Fund India, which has invested in many e-commerce companies, says the arrest raises far wider implications that can affect the entire Internet-based business in India and elsewhere too.

"By rejecting the admissibility of the paperless version of terms of service and insisting on an ink-on-paper signature for legal status, the entire legality of the e-commerce business in India is called to question," he says.

"This is ironic, for the largest e-commerce operation in not just India but South Asia is the Indian Railways' online ticket-selling business — a government-owned and run operation — which does business worth Rs 18 crore a month." Non-acceptance of electronic agreements would imply a lack of legal standing for all the online ticket sales by the Railways too.

There has to be a level playing field legally when it comes to real life and the virtual world, argues Nappinai, who like many other legal professionals, says the IT Act needs fine-tuning. "You have to distinguish between civil responsibility and criminal responsibility, and the IT Act does not make the distinction. Criminal responsibility is on a different footing altogether," she says.

The law does not talk about vicarious liability, and the industry and legal fraternity should sit down and address these issues. "Otherwise every person hosting a Web site could become liable for anything that may happen."

Section 79 of the IT Act, under certain conditions, does not hold the network service provider liable for third party information.

"No network service provider shall be liable under this Act... for any third party information or data made available by him if he proves that the offence or contravention was committed without his knowledge or that he had exercised due diligence to prevent the commission of such offence."

However, even this requires fine-tuning. As senior legal experts point out, this puts the onus of proving innocence on the network service provider; whereas in general law, the onus is on the prosecution to prove that the accused is guilty.

To this extent the IT Act is retrograde, they say, and needs to be polished up. "Even on the Internet, the law of the land must be applicable," says Sailesh Haribhakti, accounting expert.

There is a provision concerning pornography in the Indian Penal Code. But — to take analogous situations — would the municipal commissioner be arrested for sale of pornographic material on municipal roads; would a landlord be arrested for a crime committed by a tenant of his on his premises, asks Harish Mehta, co-Chairman, IT Cell of the Indian Merchants Chamber.

Was the telecom service provider held responsible for the original smutting MMS created and transmitted by the Delhi school student through? Or, would Hotmail or Yahoo be held responsible for pornographic spam?

And Baazee is not a content provider that would have to take primary responsibility for the content, he says.

The other problem is the term `due diligence' which is open to misinterpretation, especially by law enforcement agencies that are not savvy with technology, and needs to be spelt out clearly, say experts.

The case has opened the industry's eyes to even larger concerns. "We are not making a judgement on the Baazee case; all we are saying is that when technological glitches happen, or when technology cannot be monitored, who takes the responsibility for it?" says Mehta.

"We must develop systems for this," says Haribhakti.

"Nobody will disagree that something should be done and that somebody should be responsible. But what are the systems we have for assigning of responsibility when it comes to technology issues? We are in the early stage of making people singly responsible."

Forget pornography or one-to-one crimes and thefts happening through the Internet. What if a large transaction portal were to give way or be hacked into, who takes up the responsibility for the enormous losses or exploitation that could happen during that time?

The creation of a system would at least create a hierarchy of accountability when it comes to technology issues.

Just as there is the Sarbanes-Oxley Act in the US under which the CEO and CFO personally undertake responsibility in the matter of financial audits, there are Information Systems (IS) audits too for which the CEO, CFO and Chief Information Officer would take up the responsibility, says Joy Anthony, who heads PCS' consultancy practice.

The Reserve Bank of India has already made IS audits compulsory for banks and financial institutions in India. For this there are experts who are Certified Information Systems Auditors (CISA); the Information Systems Audit and Control Association (ISACA) provides the certification.

According to Venugopal Iyengar, who oversees the audit practice at Tata Consultancy Services and is also vice-president of the ISACA Mumbai chapter, there are 2,000 CISA professionals in the country today.

And, he says, SEBI has set up a task force in conjunction with ISACA's Indian chapter, to make IS audits mandatory for the rest of Indian industry too. The task force will bring out its recommendations in six months. Currently, non-financial companies have to conduct financial audit alone, while banks and financial institutions go for IS audits too.

In the non-banking sector, multinationals and companies such as TCS, which has clients abroad, already do IS audits voluntarily, he says.

"Anyone who has a Web presence should do this audit, any organisation which uses IT must put in place its IT policy and evaluate it frequently," he says. The RBI itself has got its Web site audited and tested by PCS, says Anthony.

"And the risk assessment is done every quarter to see how vulnerable the site is to hacking or other risks, what would be the monetary losses and how much must be invested to mitigate the risk."

Once IS audits are made mandatory, IS auditors and the chief information officer of a company will have to send a report to the management, explicitly stating that the audit is effective; and the CEO and CFO will have to sign that too.

But once this becomes mandatory, the demand for people who do these audits — CISA professionals and CISSP (Certified information systems security professional) and the rest — will increase dramatically.

The problem is that for smaller companies an IS audit could get very expensive, disproportionate to their revenues and profits, says Iyengar of ISACA.

For CISA professionals, maintaining one's CISA qualification itself is an expensive proposition; it could cost $ 1,500 per year to maintain one's certification, apart from other certifications, which the professionals usually hold.

The result is that most of them end up going abroad for audit assignments where they could earn up to $200 per hour. In fact the big four in India as well as the IT majors already have these practices going.

Will India have enough people to implement IS audits? Maybe more people will qualify once the demand rises, feels Anthony.

There is another task force consisting of Nasscom members, industry bodies and legal experts who are working towards evolving a cyber law similar to that of criminal procedure code, say lawyers. This is in the wake of the Baazee episode.

The Baazee episode will eventually see a drastic overhaul of the entire Indian legal system pertaining to the Web, say lawyers.

kripram@thehindu.co.in

Article E-Mail :: Comment :: Syndication :: Printer Friendly Page

Stories in this Section
Thumbs-up

Copyright © 2005, The Hindu Business Line. Republication or redissemination of the contents of this screen are expressly prohibited without the written consent of The Hindu Business Line