CYBER LAW

(LL.M 1213)

FUNDAMENTALS OF CYBER LAW

Module I
I) CONCEPTUAL AND THEEORITICAL PERSPECTIVE OF CYBER
LAW

Introduction to Indian Cyber Law This document is an extract from the book IPR
& Cyberspace – Indian Perspective authored by Rohas Nagpal. This book is
available as courseware for the Diploma in Cyber Law and PG Program in Cyber
Law conducted by Asian School of Cyber Laws www.asianlaws.org
Fundamentals of Cyber Law © 2008 Rohas Nagpal. All rights reserved. - 3 - 1.
Jurisprudence of Cyber Law Jurisprudence studies the concepts of law and the
effect of social norms and regulations on the development of law. Jurisprudence
refers to two different things. 1. The philosophy of law, or legal theory 2. Case
Law Legal theory does not study the characteristics of law in a particular country
(e.g. India or Canada) but studies law in general i.e. those attributes common to
all legal systems. Legal theory studies questions such as: 1. What is law and
legal system? 2. What is the relationship between law and power? 3. What is the
relationship between law and justice or morality? 4. Does every society have a
legal system? 5. How should we understand concepts like legal rights and legal
obligations or duties? 6. What is the proper function of law? 7. What sort of acts
should be subject to punishment, and what sort of punishments should be
permitted? 8. What is justice? 9. What rights do we have? 10. Is there a duty to

1
obey the law? 11. What value does the rule of law have? Case law is the law that
is established through the decisions of the courts and other officials. Case law
assumes even greater significance when the wordings of a particular law are
ambiguous. The interpretation of the Courts helps clarify the real objectives and
meaning of such laws. This chapter first discusses the meaning of cyber law and
the need for the separate discipline of cyber law. This chapter covers the
following topics: 1. What Is Cyber Law? 2. Need for Cyber Law 3. Jurisprudence
of Indian Cyber Law 4. Evolution of Key Terms and Concepts 5. Evolution of
Cyber Crime Fundamentals of Cyber Law - 4 - © 2008 Rohas Nagpal. All rights
reserved. 1.1 What is Cyber Law? Cyber Law is the law governing cyber space.
Cyber space is a very wide term and includes computers, networks, software,
data storage devices (such as hard disks, USB disks etc), the Internet, websites,
emails and even electronic devices such as cell phones, ATM machines etc. Law
encompasses the rules of conduct: 1. that have been approved by the
government, and 2. which are in force over a certain territory, and 3. which must
be obeyed by all persons on that territory. Violation of these rules could lead to
government action such as imprisonment or fine or an order to pay
compensation. Cyber law encompasses laws relating to: 1. Cyber Crimes 2.
Electronic and Digital Signatures 3. Intellectual Property 4. Data Protection and
Privacy Cyber crimes are unlawful acts where the computer is used either as a
tool or a target or both. The enormous growth in electronic commerce (e-
commerce) and online share trading has led to a phenomenal spurt in incidents
of cyber crime. These crimes are discussed in detail further in this chapter. A
comprehensive discussion on the Indian law relating to cyber crimes and digital
evidence is provided in the ASCL publication titled “Cyber Crimes & Digital
Evidence – Indian Perspective”. Electronic signatures are used to authenticate
electronic records. Digital signatures are one type of electronic signature. Digital
signatures satisfy three major legal requirements – signer authentication,
message authentication and message integrity. The technology and efficiency of
digital signatures makes them more trustworthy than hand written signatures.
These issues are discussed in detail in the ASCL publication titled “Ecommerce –

2
Legal Issues”. Intellectual property is refers to creations of the human mind e.g. a
story, a song, a painting, a design etc. The facets of intellectual property that
relate to cyber space are covered by cyber law. Fundamentals of Cyber Law ©
2008 Rohas Nagpal. All rights reserved. - 5 - These include: • copyright law in
relation to computer software, computer source code, websites, cell phone
content etc, • software and source code licences • trademark law with relation to
domain names, meta tags, mirroring, framing, linking etc • semiconductor law
which relates to the protection of semiconductor integrated circuits design and
layouts, • patent law in relation to computer hardware and software. These issues
are discussed in detail in the ASCL publication titled “IPR & Cyberspace - the
Indian Perspective”. Data protection and privacy laws aim to achieve a fair
balance between the privacy rights of the individual and the interests of data
controllers such as banks, hospitals, email service providers etc. These laws
seek to address the challenges to privacy caused by collecting, storing and
transmitting data using new technologies. Fundamentals of Cyber Law - 6 - ©
2008 Rohas Nagpal. All rights reserved. 1.2 Need for Cyber Law There are
various reasons why it is extremely difficult for conventional law to cope with
cyberspace. Some of these are discussed below. 1. Cyberspace is an intangible
dimension that is impossible to govern and regulate using conventional law. 2.
Cyberspace has complete disrespect for jurisdictional boundaries. A person in
India could break into a bank’s electronic vault hosted on a computer in USA and
transfer millions of Rupees to another bank in Switzerland, all within minutes. All
he would need is a laptop computer and a cell phone. 3. Cyberspace handles
gigantic traffic volumes every second. Billions of emails are crisscrossing the
globe even as we read this, millions of websites are being accessed every
minute and billions of dollars are electronically transferred around the world by
banks every day. 4. Cyberspace is absolutely open to participation by all. A
tenyear-old in Bhutan can have a live chat session with an eightyear-old in Bali
without any regard for the distance or the anonymity between them. 5.
Cyberspace offers enormous potential for anonymity to its members. Readily
available encryption software and steganographic tools that seamlessly hide

3
information within image and sound files ensure the confidentiality of information
exchanged between cyber-citizens. 6. Cyberspace offers never-seen-before
economic efficiency. Billions of dollars worth of software can be traded over the
Internet without the need for any government licenses, shipping and handling
charges and without paying any customs duty. 7. Electronic information has
become the main object of cyber crime. It is characterized by extreme mobility,
which exceeds by far the mobility of persons, goods or other services.
International computer networks can transfer huge amounts of data around the
globe in a matter of seconds. 8. A software source code worth crores of rupees
or a movie can be pirated across the globe within hours of their release. 9. Theft
of corporeal information (e.g. books, papers, CD ROMs, floppy disks) is easily
covered by traditional penal provisions. However, the problem begins when
electronic records are copied quickly, inconspicuously and often via
telecommunication facilities. Here the “original” information, so to say, remains in
the “possession” of the “owner” and yet information gets stolen. Fundamentals of
Cyber Law © 2008 Rohas Nagpal. All rights reserved. - 7 - 1.3 Jurisprudence of
Indian Cyber Law The primary source of cyber law in India is the Information
Technology Act, 2000 (IT Act) which came into force on 17 October 2000. The
primary purpose of the Act is to provide legal recognition to electronic commerce
and to facilitate filing of electronic records with the Government. The IT Act also
penalizes various cyber crimes and provides strict punishments (imprisonment
terms upto 10 years and compensation up to Rs 1 crore). An Executive Order
dated 12 September 2002 contained instructions relating provisions of the Act
with regard to protected systems and application for the issue of a Digital
Signature Certificate. Minor errors in the Act were rectified by the Information
Technology (Removal of Difficulties) Order, 2002 which was passed on 19
September 2002. The IT Act was amended by the Negotiable Instruments
(Amendments and Miscellaneous Provisions) Act, 2002. This introduced the
concept of electronic cheques and truncated cheques. Information Technology
(Use of Electronic Records and Digital Signatures) Rules, 2004 has provided the
necessary legal framework for filing of documents with the Government as well

4
as issue of licenses by the Government. It also provides for payment and receipt
of fees in relation to the Government bodies. On the same day, the Information
Technology (Certifying Authorities) Rules, 2000 also came into force. These rules
prescribe the eligibility, appointment and working of Certifying Authorities (CA).
These rules also lay down the technical standards, procedures and security
methods to be used by a CA. These rules were amended in 2003, 2004 and
2006. Note: The Act, rules, regulations, orders etc referred to in this section are
discussed in more detail in the Chapter 3 titled “Introduction to Indian Cyber
Law”. Fundamentals of Cyber Law - 8 - © 2008 Rohas Nagpal. All rights
reserved. Information Technology (Certifying Authority) Regulations, 2001 came
into force on 9 July 2001. They provide further technical standards and
procedures to be used by a CA. Two important guidelines relating to CAs were
issued. The first are the Guidelines for submission of application for license to
operate as a Certifying Authority under the IT Act. These guidelines were issued
on 9th July 2001. Next were the Guidelines for submission of certificates and
certification revocation lists to the Controller of Certifying Authorities for
publishing in National Repository of Digital Certificates. These were issued on
16th December 2002. The Cyber Regulations Appellate Tribunal (Procedure)
Rules, 2000 also came into force on 17th October 2000. These rules prescribe
the appointment and working of the Cyber Regulations Appellate Tribunal
(CRAT) whose primary role is to hear appeals against orders of the Adjudicating
Officers. The Cyber Regulations Appellate Tribunal (Salary, Allowances and
other terms and conditions of service of Presiding Officer) Rules, 2003 prescribe
the salary, allowances and other terms for the Presiding Officer of the CRAT.
Information Technology (Other powers of Civil Court vested in Cyber Appellate
Tribunal) Rules 2003 provided some additional powers to the CRAT. On 17th
March 2003, the Information Technology (Qualification and Experience of
Adjudicating Officers and Manner of Holding Enquiry) Rules, 2003 were passed.
These rules prescribe the qualifications required for Adjudicating Officers. Their
chief responsibility under the IT Act is to adjudicate on cases such as
unauthorized access, unauthorized copying of data, spread of viruses, denial of

5
service attacks, disruption of computers, computer manipulation etc. These rules
also prescribe the manner and mode of inquiry and adjudication by these
officers. The appointment of adjudicating officers to decide the fate of multi-crore
cyber crime cases in India was the result of the public interest litigation filed by
students of Asian School of Cyber Laws (ASCL). Fundamentals of Cyber Law ©
2008 Rohas Nagpal. All rights reserved. - 9 - The Government had not appointed
the Adjudicating Officers or the Cyber Regulations Appellate Tribunal for almost
2 years after the passage of the IT Act. This prompted ASCL students to file a
Public Interest Litigation (PIL) in the Bombay High Court asking for a speedy
appointment of Adjudicating officers. The Bombay High Court, in its order dated
9th October 2002, directed the Central Government to announce the
appointment of adjudicating officers in the public media to make people aware of
the appointments. The division bench of the Mumbai High Court consisting of
Hon’ble Justice A.P. Shah and Hon’ble Justice Ranjana Desai also ordered that
the Cyber Regulations Appellate Tribunal be constituted within a reasonable time
frame. Following this the Central Government passed an order dated 23rd March
2003 appointing the “Secretary of Department of Information Technology of each
of the States or of Union Territories” of India as the adjudicating officers. The
Information Technology (Security Procedure) Rules, 2004 came into force on
29th October 2004. They prescribe provisions relating to secure digital signatures
and secure electronic records. Also relevant are the Information Technology
(Other Standards) Rules, 2003. An important order relating to blocking of
websites was passed on 27th February, 2003. Computer Emergency Response
Team (CERT-IND) can instruct Department of Telecommunications (DOT) to
block a website. The Indian Penal Code (as amended by the IT Act) penalizes
several cyber crimes. These include forgery of electronic records, cyber frauds,
destroying electronic evidence etc. Digital Evidence is to be collected and proven
in court as per the provisions of the Indian Evidence Act (as amended by the IT
Act). In case of bank records, the provisions of the Bankers’ Book Evidence Act
(as amended by the IT Act) are relevant. Investigation and adjudication of cyber
crimes is done in accordance with the provisions of the Code of Criminal

6
Procedure and the IT Act. The Reserve Bank of India Act was also amended by
the IT Act. Fundamentals of Cyber Law - 10 - © 2008 Rohas Nagpal. All rights
reserved. 1.4 Evolution of key terms and concepts To understand the
jurisprudence of cyber law, it is essential to examine how the definitions of key
terms and concepts have developed. 1.4.1 Computer According to section 2(1)(i)
of the IT Act "computer" means any electronic magnetic, optical or other high-
speed data processing device or system which performs logical, arithmetic, and
memory functions by manipulations of electronic, magnetic or optical impulses,
and includes all input, output, processing, storage, computer software, or
communication facilities which are connected or related to the computer in a
computer system or computer network; Simply put, a computer has the following
characteristics: 1. It is a high-speed data processing device or system. 2. It may
be electronic, magnetic, optical etc. 3. It performs logical, arithmetic, and memory
functions 4. These functions are performed by manipulations of electronic,
magnetic or optical impulses. Computer includes 1. all input facilities, 2. all output
facilities, 3. all processing facilities, 4. all storage facilities, 5. all computer
software facilities, and 6. all communication facilities which are connected or
related to the computer in a computer system or network. Let us examine the
important terms used in this definition: According to American law, electronic
means relating to technology having electrical, digital, magnetic, wireless, optical,
electromagnetic, or similar capabilities. [Title 15, Chapter 96, Sub-chapter I,
section 7006(2), US Code]. Fundamentals of Cyber Law © 2008 Rohas Nagpal.
All rights reserved. - 11 - Magnetic means having the properties of a magnet; i.e.
of attracting iron or steel e.g. parts of a hard disk are covered with a thin coat of
magnetic material. Simply put, an optical computer uses light instead of electricity
to manipulate, store and transmit data. Development of this technology is still in a
nascent stage. Optical data processing can perform several operations
simultaneously (in parallel) much faster and easier than electronics. Optical fibre
is the medium and the technology associated with the transmission of information
as light pulses along a glass or plastic wire or fibre. Optical fibre carries much
more information than conventional copper wire and is in general not subject to

7
electromagnetic interference. A data processing device or system is a
mechanism that can perform pre-defined operations upon information. The
following are illustrations of functions in relation to a conventional desktop
personal computer. • saving information on a hard disk, • logging on to the
Internet, • retrieving stored information, • calculating mathematical formulae.
Logical functions, simply put, refer to nonarithmetic processing that arranges
numbers or letters according to a predefined format e.g. arranging numbers in
ascending order, arranging words alphabetically etc. Arithmetic functions, simply
put, are operations concerned or involved with mathematics and the addition,
subtraction, multiplication and division of numbers. Memory functions, simply put,
refer to operations involving storage of data. Fundamentals of Cyber Law - 12 - ©
2008 Rohas Nagpal. All rights reserved. Input facilities are those which transfer
information from the outside world into a computer system. E.g. keyboard,
mouse, touch screen, joystick, microphone, scanner etc. Output facilities are
those which transfer data out of the computer in the form of text, images, sounds
etc to a display screen, printer, storage device etc. Hard disks, USB disks,
floppies act as both input and output facilities. Processing facilities primarily
refers to the Central Processing Unit (CPU) of a computer. Referred to as the
“brain” of the computer, the CPU processes instructions and data. Storage
facilities include hard disks and other data storage facilities. This term would also
include the physical cabinet in which a computer is housed. Computer software
facilities refer to the operating system and application software that are essential
for a computer to function in a useful manner. Communication facilities include
the network interface cards, modems and other devices that enable a computer
to communicate with other computers. Illustrations Considering the wide
definition given to the term computer by the IT Act the following are examples of
“computers”: • desktop personal computers • mobile phones • microwave ovens •
computer printers • scanners • installed computer software • Automatic Teller
Machine (ATM) • “smart” homes which can be controlled through the Internet
Fundamentals of Cyber Law © 2008 Rohas Nagpal. All rights reserved. - 13 -
Relevant Case Law In an interesting case, the Karnataka High Court laid down

8
that ATMs are not computers, but are electronic devices under the Karnataka
Sales Tax Act, 1957. Diebold Systems Pvt Ltd [a manufacturer and supplier of
Automated Teller Machines (ATM)] had sought a clarification from the Advance
Ruling Authority (ARA) in Karnataka on the rate of tax applicable under the
Karnataka Sales Tax Act, 1957 on sale of ATMs. The majority view of the ARA
was to classify ATMs as "computer terminals" liable for 4% basic tax as they
would fall under Entry 20(ii)(b) of Part 'C' of Second Schedule to the Karnataka
Sales Tax Act. The Chairman of the ARA dissented from the majority view. In his
opinion, ATMs would fit into the description of electronic goods, parts and
accessories thereof. They would thus attract 12% basic tax and would fall under
Entry 4 of Part 'E' of the Second Schedule to the KST Act. The Commissioner of
Commercial Taxes was of the view that the ARA ruling was erroneous and
passed an order that ATMs cannot be classified as computer terminals. The High
Court of Karnataka acknowledged that the IT Act provided an enlarged definition
of "computers". However, the Court held that such a wide definition could not be
used for interpreting a taxation related law such as the Karnataka Sales Tax Act,
1957. The High Court also said that an ATM is not a computer by itself and it is
connected to a computer that performs the tasks requested by the persons using
the ATM. The computer is connected electronically to many ATMs that may be
located at some distance from the computer. Diebold Systems Pvt Ltd vs.
Commissioner of Commercial Taxes ILR 2005 KAR 2210, [2006] 144 STC
59(Kar) Fundamentals of Cyber Law - 14 - © 2008 Rohas Nagpal. All rights
reserved. 1.4.2 Data According to section 2(1)(o) of the IT Act “data” means a
representation of information, knowledge, facts, concepts or instructions which
are being prepared or have been prepared in a formalised manner, and is
intended to be processed, is being processed or has been processed in a
computer system or computer network, and may be in any form (including
computer printouts magnetic or optical storage media, punched cards, punched
tapes) or stored internally in the memory of the computer; Simply put, data is 1. a
representation of information, knowledge, facts, concepts or instructions, 2.
prepared or being prepared in a formalized manner, 3. processed, being

9
processed or sought to be processed in a computer. Illustration Sanya is typing a
document on her computer. The moment she presses keys on her keyboard, the
corresponding alphabets are shown on her screen. But in the background some
parts of the document are stored in the RAM of her computer (being processed)
while other parts are stored on the hard disk (processed). At any given instant
some information would be passing from her keyboard to the computer (sought
to be processed). Data can be in many forms such as 1. computer printouts, 2.
magnetic storage media e.g. hard disks, 3. optical storage media e.g. CD ROMs,
DVDs, VCDs 4. punched cards or tapes i.e. a paper card in which holes are
punched. Illustration The electronic version of this book stored on your computer
or on a CD would be “data”. A printout of the electronic version of this book will
also be “data”. Fundamentals of Cyber Law © 2008 Rohas Nagpal. All rights
reserved. - 15 - 1.4.3 Computer Software Computer software is a general term
that describes a collection of: 1. computer programs, 2. procedures and 3.
documentation. Computer hardware, on the other hand, consists of the physical
devices that can store and execute computer software. Illustration Sanya
downloads the OpenOffice software from the Internet. In effect what she
downloads is an executable file. She double-clicks on the executable file and
begins to install the software on her computer. During the installation she
specifies the part (drive and folder name etc) of the hard disk where the software
files must be saved. During the installation the software also makes entries in
system files (e.g. registry) maintained by the operating system (e.g. Windows
XP). Once the installation is complete, Sanya can run the software. When she
runs the software, relevant software files get loaded into RAM and are
subsequently executed in the CPU (central processing unit). Computer software
can be divided into two fundamental categories – system software and
application software. Application software uses the computer directly for
performing user tasks. System software enables the application software to use
the computer’s capabilities. Analogy An oil company drills for oil on the sea bed.
This oil is then processed and provided to the customer in the form of petrol for
his car. Here the petrol is like the application software – it helps the user to run

10
his car. The oil company is like the system software – it enables the petrol to be
taken to the user. Fundamentals of Cyber Law - 16 - © 2008 Rohas Nagpal. All
rights reserved. System software can be of various types such as: 1. operating
systems which form the platform for all other software on a computer, 2. device
drivers which allow computer programs to interact with a hardware devices such
as printers, scanners etc, 3. programming tools which help programmers to
develop and test other programs, 4. compilers which compile the source code
into the object code, 5. linkers which link object code files (and libraries) to
generate an executable file, 6. utility software that helps manage and tune the
computer hardware, operating system or application software. Application
software include 1. word processors (e.g. Microsoft Word), 2. spreadsheets (e.g.
Microsoft Excel) 3. presentation software (e.g. Microsoft Powerpoint) 4. media
players (e.g Microsoft Windows Media Player) 5. games (e.g. Need for Speed,
Age of Empires) 6. forensic software (e.g. Winhex, X-Ways Forensics) 7.
encryption software (e.g. PGP) 8. Internet browsers (e.g. Mozilla Firefox) 9. FTP
clients (e.g. FireFTP) and hundreds of other types of software. Fundamentals of
Cyber Law © 2008 Rohas Nagpal. All rights reserved. - 17 - 1.4.4 Computer
System According to section 2(1)(l) of the IT Act "computer system" means a
device or collection of devices, including input and output support devices and
excluding calculators which are not programmable and capable of being used in
conjunction with external files, which contain computer programs, electronic
instructions, input data and output data, that performs logic, arithmetic, data
storage and retrieval, communication control and other functions. Simply put, a
computer system has the following characteristics: 1. it is a device or collection of
devices which contain data or programs, 2. it performs functions such as logic,
storage, arithmetic etc, 3. it includes input and output support systems, 4. it
excludes non-programmable calculators. Illustrations: • Laptop computers • Cell
phones • Sophisticated laser printers • Hi-end scanners The American courts
have held that the Internet falls under the definition of computer system and the
use of email is accessing a computer. State of Pennsylvania v. Murgalis [No. 189
MDA 1999 (Pa. Super.Ct., June 2, 200)] Fundamentals of Cyber Law - 18 - ©

11
2008 Rohas Nagpal. All rights reserved. 1.4.5 Computer Network According to
section 2(1)(j) of the IT Act "computer network" means the interconnection of one
or more computers through: (i) the use of satellite, microwave, terrestrial line or
other communication media and (ii) terminals or a complex consisting of two or
more interconnected computers whether or not the interconnection is
continuously maintained. Simply put, a computer network is The interconnection
of one or more computers through: • satellite Satellite Internet connection is an
arrangement in which the outgoing and incoming data travels through a satellite.
Each subscriber’s hardware includes a satellite dish antenna and a transceiver
(transmitter / receiver). The dish antenna transmits and receives signals. •
microwave The term microwave refers to electromagnetic waves of a particular
frequency. Microwave frequencies are used in radars, Bluetooth devices, radio
astronomy, GSM mobile phone networks, broadcasting and telecommunication
transmissions etc. • terrestrial line or Terrestrial lines include fibre optic cables,
telephone lines etc. • other communication media Communication media refers to
any instrument or means that facilitates the transfer of data, as between a
computer and peripherals or between two computers. Other ways in which two
computers can be connected include cables, hubs, switches etc. Head Office 6th
Floor, Pride Senate, Behind Indiabulls Mega Store, Senapati Bapat Road, Pune -
411016. India Contact Numbers +91-20-25667148 +91-20-40033365 +91-20-
64000000 +91-20-64006464 Email: info@asianlaws.org URL:
www.asianlaws.org www.asianlaws.org

iii} Developments in Corporate and Cyber Laws – National and International

Perspective

Globalisation as the most conspicuous feature in the worldwide development of modern

society, has indeed influenced all aspects of the nation’s growth and more noticeably

12
international trade, trade relations and the legal systems. In this emerging scenario
fusion of intellect and technology has struck the world and stretched our minds,
capabilities and capacities irreversibly. This irreversibility in turn calls for questioning as
to how to manage and gain from the globalisation process in the digital environment. As
the quest for greater mobility, efficiency and integration requires changed governance
structures, the need for harmonization of laws and international cooperation for their
enforcement, is well recognised. In the changing corporate landscape, in which national
economies seek to integrate themselves through the vehicle of information technology to
create new economic order, the existing governance systems have, to a large extent,
become redundant and appears incapable of maintaining its relevance and thus
providing impetus for corporate law reforms and evolving uniform e-governance norms
across the world. Therefore, modernisation of laws assumes priority in the economic
reforms process as alignment of law with changing norms is an essential prerequisite for
a growing economy and promoting economic development. These modern legislations
have to deal with the impact of changing trends in the economy and technology.

The basic objective of the 29th National Convention is essentially to gauge the direction
and evaluate the magnitude of developments in corporate and cyber laws and to
deliberate upon their desired orientation.

First Technical Session – Perspective and Imperatives in Company Law

Reforms

The recognition that the ultimate goal in the new economic order is that
corporations are governed in a transparent manner and behave responsively to
the societal demands, the importance of corporate behaviour to its performance,
competitiveness and growth cannot be overstated. It is in this context that the
developments in company law have made qualitative improvements in
substantive as well as procedural aspects of law. Corporate self-regulation has
been encouraged with proper checks and balances. The elements of good
corporate governance, investor protection and shareholder democracy have
been strengthened. However, corporate realities in the wake of globalisation and
advancement in information technology remain unattended. In this context

13
directors meeting on phone, consolidation of accounts, limited liability partnership
and virtual companies are issues among others requiring focused attention of the
Government. Differences in national law and procedures create consequences
for companies with assets and liabilities in other countries and requires putting in
place an entirely new legislation compatible with international trends, capable of
providing quick, expeditious and efficient winding up procedure. It is in this
context that the Government is in the process of introducing further changes in
the company law.

The First Technical Session will discuss in detail the developments in company
law and deliberate upon various contemporary issues necessary for better
corporate governance structure in an E-enabled environment.

Second Technical Session – Financial Market Dynamism and Reforms in

Securities Laws

Globalisation coupled with open markets and advancement in technology, has

made the weakness in capital markets more explicit than ever before, besides
placing regulators under tremendous pressures. Thus a competitive market for
regulatory regimes challenges not only the international aspects of securities
regulation, but also the domestic regulatory aspects to a large extent.
Fundamental changes in the regulatory framework are taking place the world
over. One of the major reasons for revamping the regulatory framework is the
overlapping functions and consequent emergence of over regulations in some
areas and under-regulation in others. Empirical evidence shows that these are
multiple agencies regulating the functioning of intermediaries and financial
markets. Consensus seems to have emerged on the issue of having a unified
agency as regulatory authority so as to ensure proper monitoring of the activities
of financial system and securities market. In view of these underpinnings, Indian
regulators and policy makers should also start contemplating major changes in

14
the regulatory system, drawing from own experiences, including periodic crises,
and following major changes in international regulatory experiments.

The Second Technical Session will therefore discuss the impact of global
integration on Indian financial system and securities market and developments in
securities laws to make the integration smooth. The discussion will also focus on
the changes taking place in the regulatory framework for financial markets.

Third Technical Session – Synchronising Trade Related Laws in WTO

Environment

Legislative modernisation is required when international developments and

domestic economic policy create a demand for new laws. An active law making
mechanism can contribute tremendously to the success of economic policy. The
Worldwide movement towards open market policies and the expansion of
international trade have changed the corporate landscape altogether, requiring
Governments to put in place a credible legislative framework to cope with
challenges of growing competition, protection of intellectual property rights and
mergers, acquitions and combinations and environment. The new economic
liberalized order and advancements in technology are two vital spheres of
modern society witnessing far-reaching changes, where the character of
legislations itself has to undergo change. In this context, it is important to
examine how national intellectual property regime should be best designed to
benefit the domestic interest and how the international framework for IPRs might
be improved and developed to safeguard the interests of developing country.
With the opening of trade in goods and services coupled with growing dominance
of technology, a new knowledge society is emerging which would be heavily
dependent on knowledge, generation, access, protection and utilisation. There is
also need for a national strategy to sensitize the innovators, producers and
industry on the need for protection of intellectual property rights. There is an
imperative need for a balanced and integrated approach to trade and law based

15
on the combination of trade liberalisation, economic development and
environmental protection.

Thus, this penultimate Technical Session will focus its attention on reforms in
trade related laws and charting a future agenda for making them more aligned to
emerging new economic order and the economic policies. The Intellectual
Property Laws, Competition Bill, mergers, acquisition and combinations will
receive added emphasis.

Fourth Technical Session – Developing Regulatory Framework for E-

Governance

Advances in communication and computing and the realisation of the power of

internet, as a revolutionary instrument for improving the efficiency and
productivity, are perhaps the most powerful paradigm the world has witnessed in
the recent times. The speed of change and adaptability to change have become
key concern for all concerned. An off shoot of the fast digital revolution is the
cyber crimes. Therefore systems should be so designed that the breach of
security is reduced to minimum. The conceptual framework for security issues
related to legal dimensions. This is where, Governments worldover as well as
international organisations are busy devising effective and credible regulatory
framework to ensure good governance. The Government is also making efforts
to put in place a credible legal framework for internet and cyber space.
Information Technology Act, 2000 is operational, However, an adequate and
effective legal framework with worldwide perspective is eluding. The legislative
efforts need to be supported by technical initiatives, because the answers to
various problems, which the regulatory framework may not be able to cope up
with, can be found in the machine itself. The technology can also satisfy formal
legal requirements by retaining high degree of information security. Therefore,
the role of technology itself in evolving mechanism for e-governance has to be
considered.

16
It is in this context that the concluding Technical Session will discuss global
developments in regulatory framework for internet and cyber space. The
discussion will also focus on various aspects of cyber laws in India and the
progress on international cooperation.

MODULE II
CYBER LAW: LEGAL ISSUES AND
CHALLENGES IN INDIA, USA AND EU
I) DATA PROTECTION ,CYBERSECURITY
Legal aspects of computing are related to the overlapping areas
of law andcomputing.

The first one, historically, was information technology law (or IT law). ("IT law"
should not be confused with the IT aspects of law itself, although there are
overlapping issues.) IT law consists of the law (statutes, regulations, and
caselaw) which governs the digital dissemination of both (digitalized) information
and software itself (see history of free and open-source software), and legal
aspects of information technologymore broadly. IT law covers mainly
the digital information (including information security and electronic commerce)
aspects and it has been described as "paper laws" for a "paperless environment".

Cyberlaw or Internet law is a term that encapsulates the legal issues related to
use of the Internet. It is less a distinct field of law than intellectual
property or contract law, as it is a domain covering many areas of law and
regulation. Some leading topics include internet access and
usage, privacy, freedom of expression, and jurisdiction.

17
"Computer law" is a third term which tends to relate to issues including both
Internet law and the patent and copyright aspects of computer technology and
software.

Areas of law[edit]
See also: Software law

There are intellectual property in general, including copyright, rules on fair use,
and special rules on copy protection for digital media, and circumvention of such
schemes. The area of software patents is controversial, and still evolving in
Europe and elsewhere.[1]

The related topics of software licenses, end user license agreements, free
software licenses and open-source licenses can involve discussion of product
liability, professional liability of individual developers, warranties, contract law,
trade secrets and intellectual property.

In various countries, areas of the computing and communication industries are

regulated – often strictly – by government bodies.

There are rules on the uses to which computers and computer networks may be
put, in particular there are rules onunauthorized access, data
privacy and spamming. There are also limits on the use of encryption and of
equipment which may be used to defeat copy protection schemes. The export of
hardware and software between certain states within theUnited States is also
controlled.[citation needed]

There are laws governing trade on the Internet, taxation, consumer protection,
and advertising.

There are laws on censorship versus freedom of expression, rules on public

access to government information, and individual access to information held on
them by private bodies. There are laws on what data must be retained for law
enforcement, and what may not be gathered or retained, for privacy reasons.

18
In certain circumstances and jurisdictions, computer communications may be
used in evidence, and to establish contracts. New methods of tapping and
surveillance made possible by computers have wildly differing rules on how they
may be used by law enforcement bodies and as evidence in court.

Computerized voting technology, from polling machines to internet and mobile-

phone voting, raise a host of legal issues.

Some states limit access to the Internet, by law as well as by technical means.

Jurisdiction[edit]
Issues of jurisdiction and sovereignty have quickly come to the fore in the era of
the Internet.

Jurisdiction is an aspect of state sovereignty and it refers to judicial, legislative

and administrative competence. Although jurisdiction is an aspect of sovereignty,
it is not coextensive with it. The laws of a nation may have extraterritorial impact
extending the jurisdiction beyond the sovereign and territorial limits of that nation.
This is particularly problematic as the medium of the Internet does not explicitly
recognize sovereignty and territorial limitations. There is no uniform, international
jurisdictional law of universal application, and such questions are generally a
matter of conflict of laws, particularly private international law. An example would
be where the contents of a web site are legal in one country and illegal in
another. In the absence of a uniform jurisdictional code, legal practitioners are
generally left with a conflict of law issue.

Another major problem of cyberlaw lies in whether to treat the Internet as if it

were physical space (and thus subject to a given jurisdiction's laws) or to act as if
the Internet is a world unto itself (and therefore free of such restraints). Those
who favor the latter view often feel that government should leave the Internet
community to self-regulate. John Perry Barlow, for example, has addressed the
governments of the world and stated, "Where there are real conflicts, where there
are wrongs, we will identify them and address them by our means. We are
forming our own Social Contract. This governance will arise according to the

19
conditions of our world, not yours. Our world is different".[2] A more balanced
alternative is the Declaration of Cybersecession: "Human beings possess a mind,
which they are absolutely free to inhabit with no legal constraints. Human
civilization is developing its own (collective) mind. All we want is to be free to
inhabit it with no legal constraints. Since you make sure we cannot harm you,
you have no ethical right to intrude our lives. So stop intruding!" [3]Other scholars
argue for more of a compromise between the two notions, such as Lawrence
Lessig's argument that "The problem for law is to work out how the norms of the
two communities are to apply given that the subject to whom they apply may be
in both places at once" (Lessig, Code 190).

With the internationalism of the Internet, jurisdiction is a much more tricky area
than before, and courts in different countries have taken various views on
whether they have jurisdiction over items published on the Internet, or business
agreements entered into over the Internet. This can cover areas from contract
law, trading standards and tax, through rules on unauthorized access, data
privacy and spamming to more political areas such as freedom of speech,
censorship, libel or sedition.

Certainly, the frontier idea that the law does not apply in "Cyberspace" is not true.
In fact, conflicting laws from different jurisdictions may apply, simultaneously, to
the same event. The Internet does not tend to make geographical and
jurisdictional boundaries clear, but Internet users remain in physical jurisdictions
and are subject to laws independent of their presence on the Internet. [4] As such,
a single transaction may involve the laws of at least three jurisdictions:

1. the laws of the state/nation in which the user resides,

2. the laws of the state/nation that apply where the server hosting the
transaction is located, and
3. the laws of the state/nation which apply to the person or business with
whom the transaction takes place.

20
So a user in one of the United States conducting a transaction with another user
in Britain through a server in Canada could theoretically be subject to the laws of
all three countries as they relate to the transaction at hand.[5]

In practical terms, a user of the Internet is subject to the laws of the state or
nation within which he or she goes online. Thus, in the U.S., Jake Baker faced
criminal charges for his e-conduct, and numerous users of peer-to-peer file-
sharingsoftware were subject to civil lawsuits for copyright infringement. This
system runs into conflicts, however, when these suits are international in nature.
Simply put, legal conduct in one nation may be decidedly illegal in another. In
fact, even different standards concerning the burden of proof in a civil case can
cause jurisdictional problems. For example, an American celebrity, claiming to be
insulted by an online American magazine, faces a difficult task of winning a
lawsuit against that magazine for libel. But if the celebrity has ties, economic or
otherwise, to England, he or she can sue for libel in the British court system,
where the standard of "libelous speech" is far lower.

Internet governance is a live issue in international fora such as the International

Telecommunication Union (ITU), and the role of the current US-based co-
ordinating body, the Internet Corporation for Assigned Names and
Numbers (ICANN) was discussed in the UN-sponsored World Summit on the
Information Society (WSIS) in December 2003

Internet Law[edit]
The law that regulates the Internet must be considered in the context of the
geographic scope of the Internet and political borders that are crossed in the
process of sending data around the globe. The unique global structure of
the Internetraises not only jurisdictional issues, that is, the authority to make and
enforce laws affecting the Internet, but also questions concerning the nature of
the laws themselves.

In their essay "Law and Borders -- The Rise of Law in Cyberspace", David R.
Johnson and David G. Post argue that it became necessary for the Internet to

21
govern itself and instead of obeying the laws of a particular country, "Internet
citizens" will obey the laws of electronic entities like service providers. Instead of
identifying as a physical person, Internet citizens will be known by their
usernames or email addresses (or, more recently, by their Facebook accounts).
Over time, suggestions that the Internet can be self-regulated as being its own
trans-national "nation" are being supplanted by a multitude of external and
internal regulators and forces, both governmental and private, at many different
levels. The nature of Internet law remains a legal paradigm shift, very much in
the process of development.[6]

Leaving aside the most obvious examples of governmental content monitoring

and internet censorship in nations likeChina, Saudi Arabia, Iran, there are four
primary forces or modes of regulation of the Internet derived from a
socioeconomic theory referred to as Pathetic dot theory by Lawrence Lessig in
his book, Code and Other Laws of Cyberspace:

1. Law: What Lessig calls "Standard East Coast Code," from laws enacted
by government in Washington D.C. This is the most self-evident of the
four modes of regulation. As the numerous United States statutes, codes,
regulations, and evolving case law make clear, many actions on the
Internet are already subject to conventional laws, both with regard to
transactions conducted on the Internet and content posted. Areas like
gambling, child pornography, and fraud are regulated in very similar ways
online as off-line. While one of the most controversial and unclear areas
of evolving laws is the determination of what forum has subject matter
jurisdiction over activity (economic and other) conducted on the internet,
particularly as cross border transactions affect local jurisdictions, it is
certainly clear that substantial portions of internet activity are subject to
traditional regulation, and that conduct that is unlawful off-line is
presumptively unlawful online, and subject to traditional enforcement of
similar laws and regulations.

22
2. Architecture: What Lessig calls "West Coast Code," from the
programming code of the Silicon Valley. These mechanisms concern the
parameters of how information can and cannot be transmitted across the
Internet. Everything from internet filtering software (which searches for
keywords or specific URLs and blocks them before they can even appear
on the computer requesting them), to encryption programs, to the very
basic architecture of TCP/IP protocols and user interfaces falls within this
category of mainly private regulation. It is arguable that all other modes of
internet regulation either rely on, or are significantly affected by, West
Coast Code.
3. Norms: As in all other modes of social interaction, conduct is regulated by
social norms and conventions in significant ways. While certain activities
or kinds of conduct online may not be specifically prohibited by the code
architecture of the Internet, or expressly prohibited by traditional
governmental law, nevertheless these activities or conduct are regulated
by the standards of the community in which the activity takes place, in this
case internet "users." Just as certain patterns of conduct will cause an
individual to be ostracized from our real world society, so too certain
actions will be censored or self-regulated by the norms of whatever
community one chooses to associate with on the internet.
4. Markets: Closely allied with regulation by social norms, markets also
regulate certain patterns of conduct on the Internet. While economic
markets will have limited influence over non-commercial portions of the
Internet, the Internet also creates a virtual marketplace for information,
and such information affects everything from the comparative valuation of
services to the traditional valuation of stocks. In addition, the increase in
popularity of the Internet as a means for transacting all forms of
commercial activity, and as a forum for advertisement, has brought the
laws of supply and demand to cyberspace. Market forces of supply and
demand also affect connectivity to the Internet, the cost of bandwidth, and

23
 the availability of software to facilitate the creation, posting, and use of
internet content.

These forces or regulators of the Internet do not act independently of each other.
For example, governmental laws may be influenced by greater societal norms,
and markets affected by the nature and quality of the code that operates a
particular system.

Net neutrality[edit]

Another major area of interest is net neutrality, which affects the regulation of the
infrastructure of the Internet. Though not obvious to most Internet users, every
packet of data sent and received by every user on the Internet passes through
routers and transmission infrastructure owned by a collection of private and
public entities, including telecommunications companies, universities, and
governments. This is turning into one of the most critical aspects of cyberlaw and
has immediate jurisdictional implications, as laws in force in one jurisdiction have
the potential to have dramatic effects in other jurisdictions when host servers or
telecommunications companies are affected.

Free speech on the Internet[edit]

Article 19 of the Universal Declaration of Human Rights calls for the protection
of free expression in all media.

In comparison to traditional print-based media, the accessibility and relative

anonymity of cyber space has torn down traditional barriers between an
individual and his or her ability to publish. Any person with an internet connection
has the potential to reach an audience of millions with little-to-no distribution
costs. Yet this new form of highly accessible authorship in cyber space raises
questions and perhaps magnifies legal complexities relating to the freedom and
regulation of speech in cyberspace.

These complexities have taken many forms, three notable examples being
the Jake Baker incident, in which the limits of obscene Internet postings were at
issue, the controversial distribution of the DeCSS code, and Gutnick v Dow

24
Jones, in which libel laws were considered in the context of online publishing.
The last example was particularly significant because it epitomized the
complexities inherent to applying one country's laws (nation-specific by definition)
to the internet (international by nature). In 2003, Jonathan Zittrain considered this
issue in his paper, "Be Careful What You Ask For: Reconciling a Global Internet
and Local Law".[7]

In the UK the case of Keith-Smith v Williams confirmed that existing libel laws
applied to internet discussions.[8]

In terms of the tort liability of ISPs and hosts of internet forums, Section 230(c) of
the Communications Decency Act may provide immunity in the United States.[9]

Internet censorship[edit]
Main article: Internet censorship

In many countries, speech through cyberspace has proven to be another means

of communication which has been regulated by the government. The "Open Net
Initiative",[10] whose mission statement is "to investigate and challenge state
filtration and surveillance practices" to "...generate a credible picture of these
practices," has released numerous reports documenting the filtration of internet-
speech in various countries. While China has thus far proven to be the most
rigorous in its attempts to filter unwanted parts of the internet from its
citizens,[11] many other countries - including Singapore, Iran,Saudi Arabia,
and Tunisia - have engaged in similar practices of Internet censorship. In one of
the most vivid examples of information control, the Chinese government for a
short time transparently forwarded requests to the Google search engine to its
own, state-controlled search engines.

These examples of filtration bring to light many underlying questions concerning

the freedom of speech. For example, does the government have a legitimate role
in limiting access to information? And if so, what forms of regulation are
acceptable? For example, some argue that the blocking of "blogspot" and other
websites in India failed to reconcile the conflicting interests of speech and

25
expression on the one hand and legitimate government concerns on the other
hand.[12]

The Creation of Privacy in U.S. Internet Law[edit]

Warren and Brandeis[edit]

At the close of the 19th Century, concerns about privacy captivated the general
public, and led to the 1890 publication of Samuel Warren and Louis Brandeis:
"The Right to Privacy".[13] The vitality of this article can be seen today, when
examining the USSC decision of Kyllo v. United States, 533 U.S. 27 (2001)
where it is cited by the majority, those in concurrence, and even those in
dissent.[14]

The motivation of both authors to write such an article is heavily debated

amongst scholars, however, two developments during this time give some insight
to the reasons behind it. First, the sensationalistic press and the concurrent rise
and use of "yellow journalism" to promote the sale of newspapers in the time
following the Civil War brought privacy to the forefront of the public eye. The
other reason that brought privacy to the forefront of public concern was the
technological development of "instant photography". This article set the stage for
all privacy legislation to follow during the 20 and 21st Centuries.

Reasonable Expectation of Privacy Test and emerging

technology[edit]

In 1967, the United States Supreme Court decision in Katz v United States, 389
U.S. 347 (1967) established what is known as the Reasonable Expectation of
Privacy Test to determine the applicability of the Fourth Amendment in a given
situation. It should be noted that the test was not noted by the majority, but
instead it was articulated by the concurring opinion of Justice Harlan. Under this
test, 1) a person must exhibit an "actual (subjective) expectation of privacy" and
2) "the expectation [must] be one that society is prepared to recognize as
'reasonable.'"

26
Privacy Act of 1974[edit]

Inspired by the Watergate scandal, the United States Congress enacted the
Privacy Act of 1974 just four months after the resignation of then
President Richard Nixon. In passing this Act, Congress found that "the privacy of
an individual is directly affected by the collection, maintenance, use, and
dissemination of personal information by Federal agencies" and that "the
increasing use of computers and sophisticated information technology, while
essential to the efficient operations of the Government, has greatly magnified the
harm to individual privacy that can occur from any collection, maintenance, use,
or dissemination of personal information."
For more information see: Privacy Act of 1974

Foreign Intelligence Surveillance Act of 1978[edit]

Codified at 50 U.S.C. §§ 1801-1811, this act establishes standards and

procedures for use of electronic surveillance to collect "foreign intelligence" within
the United States. §1804(a)(7)(B). FISA overrides the Electronic
Communications Privacy Act during investigations when foreign intelligence is "a
significant purpose" of said investigation. 50 U.S.C. § 1804(a)(7)(B) and
§1823(a)(7)(B). Another interesting result of FISA, is the creation of the Foreign
Intelligence Surveillance Court (FISC). All FISA orders are reviewed by this
special court of federal district judges. The FISC meets in secret, with all
proceedings usually also held from both the public eye and those targets of the
desired surveillance.
For more information see: Foreign Intelligence Act

(1986) Electronic Communication Privacy Act[edit]

The ECPA represents an effort by the United States Congress to modernize

federal wiretap law. The ECPA amended Title III (see: Omnibus Crime Control
and Safe Streets Act of 1968) and included two new acts in response to
developing computer technology and communication networks. Thus the ECPA

27
in the domestic venue into three parts: 1) Wiretap Act, 2) Stored Communications
Act, and 3) The Pen Register Act.

 Types of Communication

 Wire Communication: Any communication containing the human

voice that travels at some point across a wired medium such as
radio, satellite or cable.
 Oral Communication:
 Electronic Communication

1. The Wiretap Act: For Information see Wiretap Act

2. The Stored Communications Act: For information see Stored
Communications Act
3. The Pen Register Act: For information see Pen Register Act

(1994) Driver's Privacy Protection Act[edit]

The DPPA was passed in response to states selling motor vehicle records to
private industry. These records contained personal information such as
name, address, phone number, SSN, medical information, height, weight,
gender, eye color, photograph and date of birth. In 1994, Congress passed
the Driver's Privacy Protection (DPPA), 18 U.S.C. §§ 2721-2725, to cease
this activity.
For more information see: Driver's Privacy Protection Act

(1999) Gramm-Leach-Bliley Act[edit]

-This act authorizes widespread sharing of personal information by financial

institutions such as banks, insurers, and investment companies. The GLBA
permits sharing of personal information between companies joined together
or affiliated as well as those companies unaffiliated. To protect privacy, the
act requires a variety of agencies such as the SEC, FTC, etc. to establish
"appropriate standards for the financial institutions subject to their jurisdiction"

28
to "insure security and confidentiality of customer records and information"
and "protect against unauthorized access" to this information. 15
U.S.C. § 6801
For more information see: Gramm-Leach-Bliley Act

(2002) Homeland Security Act[edit]

-Passed by Congress in 2002, the Homeland Security Act, 6 U.S.C. § 222,

consolidated 22 federal agencies into what is commonly known today as the
Department of Homeland Security (DHS). The HSA, also created a Privacy
Office under the DoHS. The Secretary of Homeland Security must "appoint a
senior official to assume primary responsibility for privacy policy." This privacy
official's responsibilities include but are not limited to: ensuring compliance
with the Privacy Act of 1974, evaluating "legislative and regulatory proposals
involving the collection, use, and disclosure of personal information by the
Federal Government", while also preparing an annual report to Congress.
For more information see: Homeland Security Act

(2004) Intelligence Reform and Terrorism Prevention Act[edit]

-This Act mandates that intelligence be "provided in its most shareable form"
that the heads of intelligence agencies and federal departments "promote a
culture of information sharing." The IRTPA also sought to establish protection
of privacy and civil liberties by setting up a five-member Privacy and Civil
Liberties Oversight Board. This Board offers advice to both the President of
the United States and the entire executive branch of the Federal Government
concerning its actions to ensure that the branch's information sharing policies
are adequately protecting privacy and civil liberties.
For more information see: Intelligence Reform and Terrorism Prevention Act

Legal enactments – examples[edit]

Great Britain[edit]

29
The Computer Misuse Act 1990[15] enacted by Great Britain on 29 June 1990,
and which came into force on 29 August 1990, is an example of one of the
earliest of such legal enactments. This Act was enacted with an express
purpose of making "provision for securing computer material against
unauthorized access or modification." Certain major provisions of the
Computer Misuse Act 1990 relate to:

 "unauthorized access to computer materials",

 "unauthorized access with intent to commit or facilitate the commission of
further offences", and
 "unauthorized modification of computer material."

The impact of the Computer Misuse Act 1990 has been limited and with the
adoption of the Council of Europe adopts its Convention on Cyber-Crime, it
has been indicated that amending legislation would be introduced in
parliamentary session 2004–05 in order to rectify possible gaps in its
coverage, which are many.

The CMA 1990 has many weaknesses; the most notable is its inability to
cater for, or provide suitable protection against, a host of high tech
attacks/crimes which have became more prevalent in the last decade. Certain
attacks such as DDOS and BOTNET attacks can not be effectively brought to
justice under the CMA. This act has been under review for a number of years.
Computer crimes such as electronic theft are usually prosecuted in the UK
under the legislation that caters for traditional theft (Theft Act 1968), because
the CMA is so ineffective.

India[edit]
Main article: Information Technology Act 2000

An example of information technology law is India's Information Technology

Act, 2000, which was substantially amended in 2008. The IT Act, 2000 came
into force on 17 October 2000. This Act applies to whole of India, and its
provisions also apply to any offense or contravention, committed even

30
outside the territorial jurisdiction of Republic of India, by any person
irrespective of his nationality. In order to attract provisions of this Act, such an
offence or contravention should involve a computer, computer system, or
computer network located in India. The IT Act 2000 provides an
extraterritorial applicability to its provisions by virtue of section 1(2) read with
section 75. This Act has 90 sections.

India's The Information Technology Act 2000 has tried to assimilate legal
principles available in several such laws (relating to information technology)
enacted earlier in several other countries, as also various guidelines
pertaining to information technology law. The Act gives legal validity to
electronic contracts, recognition of electronic signatures. This is a modern
legislation which makes acts like hacking,data theft, spreading of virus,
identity theft, defamation (sending offensive messages) pornography, child
pornography, cyber terrorism, a criminal offence. The Act is supplemented by
a number of rules which includes rules for, cyber cafes, electronic service
delivery, data security, blocking of websites. It also has rules for observance
of due diligence by internet intermediaries (ISP's, network service
providers,cyber cafes, etc.). Any person affected by data theft, hacking,
spreading of viruses can apply for compensation from Adjudicator appointed
under Section 46 as well as file a criminal complaint. Appeal from adjudicator
lies to Cyber Appellate Tribunal.

Digital evidence collection and cyber forensics remain at a very nascent

stage in India with few experts and less than adequate infrastructure. [16] In
recent cases, Indian Judiciary has recognized that tampering with digital
evidence is very easy.[17]

Other[edit]

Many Asian and Middle Eastern nations use any number of combinations of
code-based regulation (one of Lessig's four methods of net regulation) to
block material that their governments have deemed inappropriate for their
citizens to view.PRC, Saudi Arabia and Iran are three examples of nations

31
that have achieved high degrees of success in regulating their citizens'
access to the Internet.[11][18]

Electronic signature laws[edit]

 Australia - Electronic Transactions Act 1999 (Cth) (also note that there is
State and Territory mirror legislation)
 Costa Rica - Digital Signature Law 8454 (2005)
 European Union - Electronic Signature Directive (1999/93/EC)
 Mexico - E-Commerce Act [2000]
 U.S. - Digital Signature And Electronic Authentication Law
 U.S. - Electronic Signatures in Global and National Commerce Act
 U.S. - Government Paperwork Elimination Act (GPEA)
 U.S. - Uniform Commercial Code (UCC)
 U.S. - Uniform Electronic Transactions Act - adopted by 46 states
 UK - s.7 Electronic Communications Act 2000

Information technology law[edit]

1. Florida Electronic Security Act

2. Illinois Electronic Commerce Security Act
3. Texas Penal Code - Computer Crimes Statute
4. Maine Criminal Code - Computer Crimes
5. Singapore Electronic Transactions Act
6. Malaysia Computer Crimes Act
7. Malaysia Digital Signature Act
8. UNCITRAL Model Law on Electronic Commerce
9. Information Technology Act 2000 of India
10. Thailand Computer Crimes Act B.E.2550

Information Technology Guidelines[edit]

1. ABA Digital Signature Guidelines

32
 2. United States Office of Management and Budget

Enforcement agencies[edit]
The Information Technology Laws of various countries, and / or their criminal
laws generally stipulate enforcement agencies, entrusted with the task of
enforcing the legal provisions and requirements.

United States Federal Agencies[edit]

Many United States federal agencies oversee the use of information

technology. Their regulations are promulgated in theCode of Federal
Regulations of the United States.

Over 25 U.S. federal agencies have regulations concerning the use of digital
and electronic signatures.[19]

India[edit]

A live example of such an enforcement agency is Cyber Crime Police Station,

Bangalore,[20] India's first exclusive Cyber Crime enforcement agency.

 Other examples of such enforcement agencies include:

 Cyber Crime Investigation Cell[21] of India's Mumbai Police.
 Cyber Crime Police Station[22] of the state Government of Andhra Pradesh,
India. This Police station has jurisdiction over the entire state of Andhra
Pradesh, and functions from the Hyderabad city.
 In South India, the Crime Branch of Criminal Investigation Department, in
Tamil Nadu, India, has a Cyber Crime Cell atChennai.
 In East India, Cyber Crime Cells have been set up by the Kolkata
Police as well as the Criminal Investigation Department, West Bengal.

Information Technology Lawyer[edit]

An information technology attorney is a professional who handles a variety of
legal matters related to IT. The attorney gets involved in drafting, negotiating,

33
and interpreting agreements in the areas of software licensing and
maintenance, IT consulting, e-commerce, web site hosting and development,
and telecommunications agreements, as well as handling dispute resolution
and assisting with the client's Internet domain name portfolio. An information
technology attorney works with engineering, IT, and other business units and
ensures that customer information gathered by company is collected, stored
and used in compliance with privacy policies and applicable laws.

Duties also include providing high quality, specialized and practical advice in
business-to-business and business-to-consumer arrangements and advising
on issues like IT outsourcing arrangements, software and hardware supply
and implementation agreements. An information technology attorney
contracts for web site developers and consultants in relation to on-line
projects. Provides support and maintains confidentiality/know how
agreements. Contracts for Internet service providers and data protection
advice. An information technology attorney should have a JD degree or an
LL.M degree with admission to the local state bar.

34
Participants

Company directors, secretaries and other senior executives in the corporate and
financial services sector, practising professionals in secretarial, financial, legal
and management disciplines would benefit from participation in the Convention.

Faculty

Eminent persons from the Government & industry, including professionals and
management experts will address the participants and there would be
brainstorming sessions and interactions. Papers received from professional
bodies abroad will also be presented in the Convention

Papers for Discussion

Members who wish to contribute papers for publication in the Souvenir or for
circulation at the Conference are requested to send the same preferably in a
computer floppy or through E-mail (drs@icsi-India.com.) with one hard copy or
those sending only hard copy may send the same in quadruplicate to the Institute
before October 15, 2001. Papers should not normally exceed 15 typed pages.
There will be considered by a Screening Committee and the decision of the
Institute based on the recommendations of the Screening Committee will be final
in all respects. Suitable honorarium will be paid for papers selected for
circulation at the Convention or for publication in the Souvenir.

I) DATA PROTECTION

The Data Protection Act 1998 (DPA) is an Act of Parliament of the United
Kingdom of Great Britain and Northern Ireland which defines UK law on the
processing of data on identifiable living people. It is the main piece of legislation
that governs the protection of personal data in the UK. Although the Act itself
does not mention privacy, it was enacted to bring British law into line with the EU

35
data protection directive of 1995 which required Member States to protect
people's fundamental rights and freedoms and in particular their right to privacy
with respect to the processing of personal data. In practice it provides a way for
individuals to control information about themselves. Most of the Act does not
apply to domestic use,[1] for example keeping a personal address book. Anyone
holding personal data for other purposes is legally obliged to comply with this
Act, subject to some exemptions. The Act defines eight data protection
principles. It also requires companies and individuals to keep personal
information to themselves.

History[edit]
The 1998 Act replaced and consolidated earlier legislation such as the Data
Protection Act 1984 and the Access to Personal Files Act 1987. At the same time
it aimed to implement the European Data Protection Directive. In some aspects,
notably electronic communication and marketing, it has been refined by
subsequent legislation for legal reasons. ThePrivacy and Electronic
Communications (EC Directive) Regulations 2003 altered the consent
requirement for most electronic marketing to "positive consent" such as an opt in
box. Exemptions remain for the marketing of "similar products and services" to
existing customers and enquirers, which can still be given permission on an opt
out basis.

The Jersey data protection law was modelled on the UK law.[2]

Personal data[edit]
The Act's definition of "personal data" covers any data that can be used to
identify a living individual. Anonymised or aggregated data is not regulated by the
Act, providing the anonymisation or aggregation has not been done in a
reversible way. Individuals can be identified by various means including their
name and address, telephone number or Email address. The Act applies only to
data which is held, or intended to be held, on computers ('equipment operating

36
automatically in response to instructions given for that purpose'), or held in a
'relevant filing system'.[3]

In some cases even a paper address book can be classified as a 'relevant filing
system', for example diaries used to support commercial activities such as a
salesperson's diary.

The Freedom of Information Act 2000 modified the act for public bodies and
authorities, and the Durant case modified the interpretation of the act by
providing case law and precedent.[4]

The Data Protection Act creates rights for those who have their data stored, and
responsibilities for those who store, process or transmit such data. The person
who has their data processed has the right to:[5]

 View the data an organisation holds on them. A 'subject access request' can
be obtained for a nominal fee. As of January 2014, the maximum fee is £2 for
requests to credit reference agencies, £50 for health and educational request,
and £10 per individual otherwise,[6]
 Request that incorrect information be corrected. If the company ignores the
request, a court can order the data to be corrected or destroyed, and in some
cases compensation can be awarded.[7]
 Require that data is not used in any way that may potentially cause damage
or distress.[8]
 Require that their data is not used for direct marketing.[9]

Data protection principles

1. Personal data shall be processed fairly and lawfully and, in particular, shall
not be processed unless:
1. at least one of the conditions in Schedule 2 is met, and
2. in the case of sensitive personal data, at least one of the conditions
in Schedule 3 is also met.

37
 2. Personal data shall be obtained only for one or more specified and lawful
purposes, and shall not be further processed in any manner incompatible
with that purpose or those purposes.
3. Personal data shall be adequate, relevant and not excessive in relation to
the purpose or purposes for which they are processed.
4. Personal data shall be accurate and, where necessary, kept up to date.
5. Personal data processed for any purpose or purposes shall not be kept for
longer than is necessary for that purpose or those purposes.
6. About the rights of individuals e.g.[10] personal data shall be processed in
accordance with the rights of data subjects (individuals).
7. Appropriate technical and organisational measures shall be taken against
unauthorised or unlawful processing of personal data and against
accidental loss or destruction of, or damage to, personal data.
8. Personal data shall not be transferred to a country or territory outside
the European Economic Area unless that country or territory ensures an
adequate level of protection for the rights and freedoms of data subjects
in relation to the processing of personal data.

Conditions relevant to the first principle[edit]

Personal data should only be processed fairly and lawfully. In order for data to be
classed as 'fairly processed', at least one of these six conditions must be
applicable to that data (Schedule 2).

1. The data subject (the person whose data is stored) has consented ("given
their permission") to the processing;
2. Processing is necessary for the performance of, or commencing, a
contract;
3. Processing is required under a legal obligation (other than one stated in
the contract);
4. Processing is necessary to protect the vital interests of the data subject;
5. Processing is necessary to carry out any public functions;

38
 6. Processing is necessary in order to pursue the legitimate interests of the
"data controller" or "third parties" (unless it could unjustifiably prejudice
the interests of the data subject).[11]

Consent[edit]

Except under the below mentioned exceptions, the individual needs to consent to
the collection of their personal information and its use in the purpose(s) in
question. The European Data Protection Directive defines consent as “…any
freely given specific and informed indication of his wishes by which the data
subject signifies his agreement to personal data relating to him being processed”,
meaning the individual may signify agreement other than in writing. However,
non-communication should not be interpreted as consent.

Additionally, consent should be appropriate to the age and capacity of the

individual and other circumstances of the case. E.g., if an organisation "intends to
continue to hold or use personal data after the relationship with the individual
ends, then the consent should cover this." And even when consent is given, it
shouldn't be assumed to last forever. Although in most cases consent lasts for as
long as the personal data needs to be processed, individuals may be able to
withdraw their consent, depending on the nature of the consent and the
circumstances in which the personal information is being collected and used. [12]

The Data Protection Act also specifies that sensitive personal data must be
processed according to a stricter set of conditions, in particular any consent must
be explicit.[12]

Exceptions[edit]
The Act is structured such that all processing of personal data is covered by the
act, while providing a number of exceptions in Part IV.[1] Notable exceptions are:

 Section 28 – National security. Any processing for the purpose of

safeguarding national security is exempt from all the data protection

39
 principles, as well as Part II (subject access rights), Part III (notification), Part
V (enforcement), and Section 55 (Unlawful obtaining of personal data).
 Section 29 – Crime and taxation. Data processed for the prevention or
detection of crime, the apprehension or prosecution of offenders, or the
assessment or collection of taxes are exempt from the first data protection
principle.
 Section 36 – Domestic purposes. Processing by an individual only for the
purposes of that individual's personal, family or household affairs is exempt
from all the data protection principles, as well as Part II (subject access
rights) and Part III (notification).

Offences[edit]
The Act details a number of civil and criminal offences for which data controllers
may be liable if a data controller has failed to gain appropriate consent from a
data subject. However 'consent' is not specifically defined in the Act; consent is
therefore a common law matter.

 Sub-section 21(1) – This sub-section makes it an offence to process personal

information without registration.[13]
 Sub-section 21(2) – This sub-section makes it an offence to fail to comply
with the notification regulations made by the Secretary of State[13] (proposed
by the Information Commissioner under section 25 of the Act).[14]
 Section 55 – Unlawful obtaining of personal data. This section makes it an
offence for people (Other Parties), such as hackers and impersonators,
outside the organisation to obtain unauthorised access to the personal
data.[15]
 Section 56 – This section makes it a criminal offence to require an individual
to make a Subject Access Request relating to cautions or convictions for the
purposes of recruitment, continued employment, or the provision of
services.[16] This section came into force on 10 March 2015.[17]

40
CYBER SECURITY

Computer security is security applied to computing devices such

ascomputers and smartphones, as well as computer networks such as private
and public networks, including the whole Internet. The field includes all the
processes and mechanisms by which digital equipment, information and services
are protected from unintended or unauthorized access, change or destruction,
and is of growing importance due to the increasing reliance of computer systems
in most societies.[1] It includes physical security to prevent theft of equipment
and information security to protect the data on that equipment. It is sometimes
referred to as "cyber security" or "IT security". Those terms generally do not refer
to physical security, but a common belief among computer security experts is
that a physical security breach is one of the worst kinds of security breaches as it
generally allows full access to both data and equipment.

Cybersecurity is the process of applying security measures to ensure

confidentiality, integrity, and availability of data. Cybersecurity attempts to assure
the protection of assets, which includes data, desktops, servers, buildings, and
most importantly, humans. The goal of cybersecurity is to protect data both in
transit and at rest. Countermeasures can be put in place in order to increase the
security of data. Some of these measures include, but are not limited to, access
control, awareness training, audit and accountability, risk assessment,
penetration testing, vulnerability management, and security assessment and
authorization.[2]

Cybersecurity standards are digital security techniques developed to prevent or

mitigate cybersecurity attacks. These guides provide general outlines as well as
specific techniques for implementing cybersecurity. For certain
standards,cybersecurity certification by an accredited body can be obtained.
There are many advantages to obtaining certification including the ability to get
cybersecurity insurance.

41
The choice between writing cybersecurity as two words (cyber security) or one
(cybersecurity) depends on the institution, and there have been discrepancies on
older documents.[1] However, since the U.S. Federal Executive Order (EO)
13636on the subject was spelled “Improving Critical Infrastructure
Cybersecurity”, most forums and media have embraced spelling "cybersecurity"
as a single word.

II) LEGAL RECOGNITION OF

DIGITAL EVIDENCE

Law on Digital Evidence

The proliferation of computers, the social influence of information technology and the
ability to store information in digital form have all required Indian law to be amended to
include provisions on the appreciation of digital evidence. In 2000 Parliament enacted
the Information Technology (IT) Act 2000, which amended the existing Indian statutes to
allow for the admissibility of digital evidence. The IT Act is based on the United Nations
Commission on International Trade Law Model Law on Electronic Commerce and,
together with providing amendments to the Indian Evidence Act 1872, the Indian Penal
Code 1860 and the Banker's Book Evidence Act 1891, it recognizes transactions that
are carried out through electronic data interchange and other means of electronic
communication.

Changes to Evidence Act

Although the Evidence Act has been in force for many years, it has often been amended
to acknowledge important developments. Amendments have been made to the Evidence
Act to introduce the admissibility of both electronic records and paper-based documents.

Evidence
The definition of 'evidence' has been amended to include electronic records (Section
3(a) of the Evidence Act). Evidence can be in oral or documentary form. The definition of

42
'documentary evidence' has been amended to include all documents, including
electronic records produced for inspection by the court. The term 'electronic records' has
been given the same meaning as that assigned to it under the IT Act, which provides for
"data, record or data generated, image or sound stored, received or sent in an electronic
form or microfilm or computer-generated microfiche".

Admissions
The definition of 'admission' (Section 17 of the Evidence Act) has been changed to
include a statement in oral, documentary or electronic form which suggests an inference
to any fact at issue or of relevance. New Section 22A has been inserted into the
Evidence Act to provide for the relevancy of oral evidence regarding the contents of
electronic records. It provides that oral admissions regarding the contents of electronic
records are not relevant unless the genuineness of the electronic records produced is in
question.

Statement as Part of Electronic Record

When any statement is part of an electronic record (Section 39 of the Evidence Act), the
evidence of the electronic record must be given as the court considers it necessary in
that particular case to understand fully the nature and effect of the statement and the
circumstances under which it was made. This provision deals with statements that form
part of a longer statement, a conversation or part of an isolated document, or statements
that are contained in a document that forms part of a book or series of letters or papers.

Admissibility of digital evidence

New Sections 65A and 65B are introduced to the Evidence Act under the Second
Schedule to the IT Act. Section 5 of the Evidence Act provides that evidence can be
given regarding only facts that are at issue or of relevance. Section 136 empowers a
judge to decide on the admissibility of the evidence. New provision Section 65A provides
that the contents of electronic records may be proved in accordance with the provisions
of Section 65B. Section 65B provides that notwithstanding anything contained in the
Evidence Act, any information contained in an electronic record (ie, the contents of a
document or communication printed on paper that has been stored, recorded and copied
in optical or magnetic media produced by a computer ('computer output')), is deemed to
be a document and is admissible in evidence without further proof of the original's
production, provided that the conditions set out in Section 65B(2) to (5) are satisfied.

43
Conditions for the admissibility of digital evidence
Before a computer output is admissible in evidence, the following conditions as set out in
Section 65(B)(2) must be fulfilled:

"(2) The conditions referred to in subsection (1) in respect of a computer output shall be the
following, namely:

(a) the computer output containing the information was produced by the computer during the
period over which the computer was used regularly to store or process information for the
purposes of any activities regularly carried on over that period by the person having lawful
control over the use of the computer;

(b) during the said period, information of the kind contained in the electronic record or of the
kind from which the information so contained is derived was regularly fed into the computer in
the ordinary course of the said activities;

(c) throughout the material part of the said period the computer was operating properly or, if not,
then in respect of any period in which it was not operating properly or was out of operation
during that part of the period, was not such as to affect the electronic record or the accuracy of
its contents; and

(d) the information contained in the electronic record reproduces or is derived from such
information fed into the computer in the ordinary course of the said activities.

(3) Where over any period the function of storing or processing information for the purposes of
any activities regularly carried on over that period as mentioned in clause (a) of subsection (2)
was regularly performed by computers, whether:

(a) by a combination of computers operating over that period;

(b) by different computers operating in succession over that period;

(c) by different combinations of computers operating in succession over that period; or

(d) in any other manner involving the successive operation over that period, in whatever order, of
one or more computers and one or more combinations of computers,

44
 all the computers used for that purpose during that period shall be treated for the purposes of this
section as constituting a single computer and references in this section to a computer shall be
construed accordingly."

Section 65B(4) provides that in order to satisfy the conditions set out above, a certificate
of authenticity signed by a person occupying a responsible official position is required.
Such certificate will be evidence of any matter stated in the certificate. The certificate
must:

 identify the electronic record containing the statement;

 describe the manner in which it was produced; and
 give such particulars of any device involved in the production of the electronic
record as may be appropriate for the purpose of showing that the electronic record
was produced by a computer.

The certificate must also deal with any of the matters to which the conditions for
admissibility relate.

Presumptions Regarding Digital Evidence

A fact which is relevant and admissible need not be construed as a proven fact. The
judge must appreciate the fact in order to conclude that it is a proven fact. The exception
to this general rule is the existence of certain facts specified in the Evidence Act that can
be presumed by the court. The Evidence Act has been amended to introduce various
presumptions regarding digital evidence.

Gazettes in electronic form

Under the provisions of Section 81A of the Evidence Act, the court presumes the
genuineness of electronic records purporting to be from the Official Gazette or any legally
governed electronic record, provided that the electronic record is kept substantially in the
form required by law and is produced from proper custody.

Electronic agreements
Section 84A of the Evidence Act provides for the presumption that a contract has been
concluded where the parties' digital signatures are affixed to an electronic record that
purports to be an agreement.

45
 Secure electronic records and digital signatures
Section 85B of the Evidence Act provides that where a security procedure has been
applied to an electronic record at a specific time, the record is deemed to be a secure
electronic record from such time until the time of verification. Unless the contrary is
proved, the court is to presume that a secure electronic record has not been altered
since obtaining secure status. The provisions relating to a secure digital signature are
set out in Section 15 of the IT Act. A secure digital signature is a digital signature which,
by application of a security procedure agreed by the parties at the time that it was
affixed, is:

 unique to the subscriber affixing it;

 capable of identifying such subscriber; and
 created by a means under the exclusive control of the subscriber and linked to the
electronic record to which it relates in such a manner that if the electronic record
was altered, the digital signature would be invalidated.

It is presumed that by affixing a secure digital signature the subscriber intends to sign or
approve the electronic record. In respect of digital signature certificates (Section 85C of
the Evidence Act), it is presumed that the information listed in the certificate is correct,
with the exception of information specified as subscriber information that was not verified
when the subscriber accepted the certificate.

Electronic messages
Under the provisions of Section 88A, it is presumed that an electronic message
forwarded by a sender through an electronic mail server to an addressee corresponds
with the message fed into the sender's computer for transmission. However, there is no
presumption regarding the person who sent the message. This provision presumes only
the authenticity of the electronic message and not the sender of the message.

Five-year old electronic records

The provisions of Section 90A of the Evidence Act make it clear that where an electronic
record is produced from custody which the court considers to be proper and purports to
be or is proved to be five years old, it may be presumed that the digital signature affixed
to the document was affixed by the signatory or a person authorized on behalf of the
signatory. An electronic record can be said to be in proper custody if it is in its natural

46
 place and under the care of the person under whom it would naturally be. At the same
time, custody is not considered improper if the record is proved to have had a legitimate
origin or the circumstances of the particular case are such as to render the origin
probable. The same rule also applies to evidence presented in the form of an electronic
copy of theOfficial Gazette.

Changes to Banker's Book Evidence Act

The definition of 'banker's book' has been amended to include the printout of data stored
on a floppy disc or any other electro-magnetic device (Section 2(3)). Section 2A provides
that the printout of an entry or a copy of a printout must be accompanied by a certificate
stating that it is a printout of such entry or a copy of such printout by the principal
accountant or branch manager, together with a certificate from a person in charge of the
computer system, containing a brief description of the computer system and the
particulars of its safeguards.

Changes to Penal Code

A number of offences were introduced under the provisions of the First Schedule of the
IT Act, which amended the Penal Code with respect to offences for the production of
documents that have been amended to include electronic records. The range of
additional offences includes:

 absconding to avoid the production of a document or electronic record in a court

(Section 172 of the Penal Code);
 intentionally preventing the service of summons, notice or proclamation to produce
a document or electronic record in a court (Section 173 of the Penal Code);
 intentionally omitting to produce or deliver up the document or electronic record to
any public servant (Section 175 of the Penal Code);
 fabricating false evidence by making a false entry in an electronic record or making
any electronic record containing a false statement, and intending the false entry or
statement to appear in evidence in judicial proceedings (Sections 192 and 193 of
the Penal Code);
 the destruction of an electronic record where a person hides or destroys an
electronic record or obliterates or renders illegible the whole or part of an electronic

47
 record with the intention of preventing the record from being produced or used as
evidence (Section 204 of the Penal Code); and
 making any false electronic record (Sections 463 and 465 of the Penal Code).

Recent Court Rulings

Search and seizure

State of Punjab v Amritsar Beverages Ltd involved a search by the Sales Tax Department

and the seizure of computer hard disks and documents from the dealer's

premises.(1) The computer hard disk was seized under the provisions set out in Section

14 of the Punjab General Sales Tax Act 1948, which requires authorities to return seized

documents within a stipulated timeframe (Section 14 (3)), provided that the dealer or

person concerned is given a receipt for the property. Section 14 reads as follows:

"14. Production and inspection of books, documents and accounts

(1) The commissioner or any person appointed to assist him under subsection (1) of section 3 not

below the rank of an [Excise and Taxation Officer], may, for the purpose of the act, require any

dealer referred to in section 10 to produce before him any book, document or account relating to

his business and may inspect, examine and copy the same and make such enquiry from such

dealer relating to his business, as may be necessary.

Provided that books, documents and accounts of a period more than five years prior to the year

in which assessment is made shall not be so required.

(2) Every registered dealer shall:

(a) maintain day-to-day accounts of his business;

(b) maintain a list of his account books, display it along with his registration certificate and

furnish a copy of such list to the assessing authority;

48
(c) produce, if so required, account books of his business before the Assessing Authority for

authentication in the prescribed manner; and

(d) retain his account books at the place of his business, unless removed therefrom by an official

for inspection, by any official agency, or by auditors or for any other reason which may be

considered to be satisfactory by the assessing authority.

(3) If any officer referred to in subsection (1) has reasonable ground for believing that any dealer

is trying to evade liability for tax or other dues under this act, and that anything necessary for the

purpose of an investigation into his liability may be found in any book, account, register or

document, he may seize such book, account, register or document, as may be necessary. The

officer seizing the book, account, register or document shall forthwith grant a receipt for the

same and shall:

(a) in the case of a book, account, register or document which was being used at the time of

seizing, within a period of 10 days from the date of seizure; and

(b) in any other case, within a period of 60 days from the date of seizure;

return it to the dealer or the person from whose custody it was seized after the examination or

after having such copies or extracts taken therefrom as may be considered necessary, provided

that the dealer or the aforesaid person gives a receipt in writing for the book, account, register or

document returned to him. The officer may, before returning the book, account, register or

document, affix his signature and his official seal at one or more places thereon, and in such case

the dealer or the aforesaid person will be required to mention in the receipt given by him the

number of places where the signature and seal of such officers have been affixed on each book,

account, register or document.

49
(4) For the purpose of subsection (2) or subsection (3), an officer referred to in subsection (1)

may enter and search any office, shop, godown, vessel, vehicle or any other place of business of

the dealer or any building or place except residential houses where such officer has reason to

believe that the dealer keeps or is, for the time being, keeping any book, account, register,

document or goods relating to his business.

(5) The power conferred by subsection (4) shall include the power to open and search any box or

receptacle in which any books, accounts, register or other relevant document of the dealer may

be contained.

(6) Any officer empowered to act under subsection (3) or subsection (4) shall have power to seize

any goods which are found in any office, shop, godown, vessel, vehicle or any other place of

business or any building or place of the dealer, but not accounted for by the dealer in his books,

accounts, registers, records and other documents."

This section entitles the officer concerned to affix his or her signature and seal at one or
more places on the seized document and to include in the receipt the number of places
where the signature and seal have been affixed. In the case at hand, the officers
concerned called upon the dealer, but the dealer ignored their requests.

After examination, the Sales Tax Authority was required to return all documents seized
within 60 days. However, the authority failed to return the hard disk, claiming that it was
not a document. When the matter came before the Supreme Court, a creative
interpretation was adopted, taking into account the fact that the Punjab General Sales
Tax Act was enacted in 1948 when information technology was far from being
developed. It was determined that the Constitution of India is a document that must be
interpreted in light of contemporary life. This meant that a creative interpretation was
necessary to enable the judiciary to respond to technological developments. The court
was permitted to use its own interpretative principles since Parliament had failed to
amend the statute with regard to developments in the field of science. The court stated
that the Evidence Act, which is part of the procedural laws, should be construed to be an

50
ongoing statute, similar to the Constitution, which meant that in accordance with the
circumstances, a creative interpretation was possible.

It was held that the proper course of action for officers in such circumstances was to
make copies of the hard disk or obtain a hard copy, affix their signatures or official seal
on the hard copy and furnish a copy to the dealer or person concerned.

Evidence recorded on CD
In Jagjit Singh v State of Haryana the speaker of the Legislative Assembly of the State of
Haryana disqualified a member for defection.(2) When hearing the matter, the Supreme
Court considered the appreciation of digital evidence in the form of interview transcripts
from the Zee News television channel, the Aaj Tak television channel and the Haryana
News of Punjab Today television channel. The Supreme Court of India indicated the
extent of the relevance of the digital materials in Paragraph 25 of his ruling:

"The original CDs received from Zee Telefilms, the true translation into English of the transcript
of the interview conducted by the said channel and the original letter issued by Zee Telefilms and
handed over to Ashwani Kumar on his request were filed on June 23 2004. The original CDs
received from Haryana News channel along with the English translation as above and the
original proceedings of the Congress legislative party in respect of proceedings dated June 16
2004 at 11.30am in the Committee room of Haryana Vidhan Sabha containing the signatures of
three out of four independent members were also filed."

In Paragraphs 26 and 27 the court went on to indicate that an opportunity had been
given to the parties to review the materials, which was declined:

"26. It has to be noted that on June 24 2004 counsel representing the petitioners were asked by
the speaker to watch the interviews conducted in New Delhi on June 14 2004 by Zee News and
Haryana News, which were available on the CD as part of the additional evidence with the
application dated June 23 2004 filed by the complainant. The counsel, however, did not agree to
watch the recording which was shown on these two channels. The copies of the application dated
June 23 2004 were handed over to the counsel and they were asked to file the reply by 10am on
June 25 2004. In the replies the petitioners merely denied the contents of the application without
stating how material by way of additional evidence that had been placed on record was not
genuine.

51
27. It is evident from the above facts that the petitioners declined to watch the recording, failed to
show how and what part of it, if any, was not genuine, but merely made general denials and
sought permission to cross-examine Ashwani Kumar and the opportunity to lead evidence."

The speaker was required to rule on the authenticity of the digital recordings, as
indicated at Paragraph 30 of the ruling:

"Under these circumstances, the speaker concluded that 'there is no room for doubting the
authenticity and accuracy of the electronic evidence produced by the petitioner'. The speaker held
that:

The court determined that the electronic evidence placed on record was admissible and
upheld the reliance placed by the speaker on the recorded interview when reaching the
conclusion that the voices recorded on the CD were those of the persons taking action.
The Supreme Court found no infirmity in the speaker's reliance on the digital evidence
and the conclusions reached in Paragraph 31 bear repeating in full:

The comments in this case indicate a trend emerging in Indian courts: judges are
beginning to recognize and appreciate the importance of digital evidence in legal
proceedings.

Admissibility of intercepted telephone calls

State (NCT of Delhi) v Navjot Sandhu was an appeal against conviction following the attack
on Parliament on December 13 2001, in which five heavily armed persons entered the
Parliament House Complex and killed nine people, including eight security personnel
and one gardener, and injured 16 people, including 13 security men.(3) This case dealt
with the proof and admissibility of mobile telephone call records. While considering the
appeal against the accused for attacking Parliament, a submission was made on behalf
of the accused that no reliance could be placed on the mobile telephone call records,
because the prosecution had failed to produce the relevant certificate under Section
65B(4) of the Evidence Act. The Supreme Court concluded that a cross-examination of
the competent witness acquainted with the functioning of the computer during the
relevant time and the manner in which the printouts of the call records were taken was
sufficient to prove the call records.

52
Examination of a witness by video conference
State of Maharashtra v Dr Praful B Desai involved the question of whether a witness can be
examined by means of a video conference.(4) The Supreme Court observed that video
conferencing is an advancement of science and technology which permits seeing,
hearing and talking with someone who is not physically present with the same facility
and ease as if they were physically present. The legal requirement for the presence of
the witness does not mean actual physical presence. The court allowed the examination
of a witness through video conferencing and concluded that there is no reason why the
examination of a witness by video conferencing should not be an essential part of
electronic evidence.

This Supreme Court decision has been followed in other high court rulings (eg, Amitabh
Bagchi v Ena Bagchi).(5) More recently, the High Court of Andhra Pradesh in Bodala
Murali Krishna v Bodala Prathima held that necessary precautions must be taken to
identify the witness and ensure the accuracy of the equipment being used.(6) In addition,
any party wishing to avail itself of the facility of video conferencing must meet the entire
expense.

III) RECOGNITION OF LIABILITY IN

THE DIGITAL WORLD

The emergence of intelligent software, which operates autonomously and

not only automatically, may give rise to many difficulties especially with

regard to the attribution of liability for the actions of such software. This

paper thus explores some of these difficulties and examines how

intelligent software agents differ from other software applications, and

how liability should be attributed in light of such differences.

53
Furthermore, this paper briefly addresses the issue of what the law ought

to be in order to successfully handle intelligent software agents and their

potential effects in the digital world.

IV) JURISDICTION ISSUES IN

TRANSNATIONAL CRIMES
Transnational crimes are crimes that have actual or potential effect across
national borders and crimes which are intra-State but which offend fundamental
values of the international community.[1] The term is commonly used in the law
enforcement and academic communities.

The word "transnational" describes crimes that are not only international (that is,
crimes that cross borders between countries), but crimes that by their nature
involve cross-border transference as an essential part of the criminal activity.
Transnational crimes also include crimes that take place in one country, but their
consequences significantly affect another country and transit countries may also
be involved. Examples of transnational crimes include: human trafficking, people
smuggling, smuggling/trafficking of goods (such as arms trafficking and drug
trafficking and illegal animal and plant products and other goods prohibited on
environmental grounds (e.g. banned ozone depleting substances), sex
slavery,terrorism offences, torture and apartheid. Transnational organized
crime (TOC) refers specifically to transnational crime carried out by organized
crime organizations.[2]

Transnational crimes may also be crimes of customary international

law or international crimes when committed in certain circumstances. For
example they may in certain situations constitute crimes against humanity.

54
In failed or failing states[edit]
The international community is confronted with an increasing level of
transnational crime in which criminal conduct in one country has an impact in
another or even several others. Drug trafficking, human trafficking, computer
crimes, terrorism, and a host of other crimes can involve actors operating outside
the borders of a country which might have a significant interest in stemming the
activity in question and prosecuting the perpetrator. Contemporary transnational
crimes take advantage of globalization, trade liberalization and exploding new
technologies to perpetrate diverse crimes and to move money, goods, services
and people instantaneously for purposes of perpetrating violence for political
ends.[3]

Moreover, problems of weakened states and transnational crime create an

unholy confluence that is uniquely challenging. When a criminal operates outside
the territory of an offended state, the offended state might ordinarily appeal to the
state from which the criminal is operating to take some sort of action, such as to
prosecute the offender domestically or extradite the offender so that he or she
may face punishment in the offended state. Nonetheless, in situations in which a
government is unable (or unwilling) to cooperate in the arrest or prosecution of a
criminal, the offended state has few options for recourse.[3]

Given the limits on the exercise of extraterritorial enforcement jurisdiction, states

have developed mechanisms to cooperate in transnational criminal matters. The
primary mechanisms used in this regard are extradition, lawful removal, and
mutual legal assistance.[3]

Extradition is the mechanism by which one sovereign requests and obtains

custody of a fugitive located within the jurisdiction and control of another
sovereign. It is an ancient mechanism, dating back to at least the thirteenth
century, when an Egyptian Pharaoh negotiated an extradition treaty with a Hittite
King. Through the extradition process, a sovereign (the requesting state) typically
makes a formal request to another sovereign (the requested state). If the fugitive

55
is found within the territory of the requested state, then the requested state may
arrest the fugitive and subject him or her to its extradition process. The
extradition procedures to which the fugitive will be subjected are dependent on
the law and practice of the requested state.[3]

Aside from mechanisms for the return of fugitives, states have also developed
mechanisms for requesting and obtaining evidence for criminal investigations
and prosecutions. When evidence or other forms of legal assistance, such as
witness statements or the service of documents, are needed from a foreign
sovereign, states may attempt to cooperate informally through their respective
police agencies or, alternatively, resort to what is typically referred to as requests
for “mutual legal assistance”[3] The practice of mutual legal assistance developed
from the comity-based system of letters rogatory, though it is now far more
common for states to make mutual legal assistance requests directly to the
designated “Central Authorities” within each state. In contemporary practice,
such requests may still be made on the basis of reciprocity but may also be
made pursuant to bilateral and multilateral treaties that obligate countries to
provide assistance. Many countries are able to provide a broad range of mutual
legal assistance to other countries even in the absence of a treaty.[

MODULE III

CYBER LAW :INTERNATIONAL PERSPECTIVE

I) BUDAPEST CONVENTION ON CYBER

CRIME

56
The Convention on Cybercrime, also known as the Budapest Convention on
Cybercrime or the Budapest Convention, is the first international treatyseeking
to address Internet and computer crime by harmonizing nationallaws, improving
investigative techniques, and increasing cooperation among nations.[1][2] It was
drawn up by the Council of Europe in Strasbourg, France, with the active
participation of the Council of Europe's observer states Canada and Japan.

The Convention and its Explanatory Report was adopted by the Committee of
Ministers of the Council of Europe at its 109th Session on 8 November 2001. It
was opened for signature in Budapest, on 23 November 2001 and it entered into
force on 1 July 2004.[3] As of October 2014, 44 states have ratified the
convention, while a further nine states had signed the convention but not ratified
it.[4]

On 1 March 2006 the Additional Protocol to the Convention on Cybercrime came

into force. Those States that have ratified the additional protocol are required to
criminalize the dissemination of racist and xenophobic material through computer
systems, as well as threats and insults motivated by racism or xenophobia. [5]

Objectives[edit]
The Convention is the first international treaty on crimes committed via the
Internet and other computer networks, dealing particularly with infringements of
copyright, computer-related fraud, child pornography, hate crimes, and violations
ofnetwork security.[6] It also contains a series of powers and procedures such as
the search of computer networks and lawful interception.

Its main objective, set out in the preamble, is to pursue a common criminal policy
aimed at the protection of society against cybercrime, especially by adopting
appropriate legislation and fostering international cooperation.

The Convention aims principally at:

 Harmonising the domestic criminal substantive law elements of offences and

connected provisions in the area of cyber-crime

57
 Providing for domestic criminal procedural law powers necessary for the
investigation and prosecution of such offences as well as other offences
committed by means of a computer system or evidence in relation to which is
in electronic form
 Setting up a fast and effective regime of international cooperation

The following offences are defined by the Convention: illegal access, illegal
interception, data interference, system interference, misuse of devices,
computer-related forgery, computer-related fraud, offences related to child
pornography, and offences related to copyright and neighbouring rights.

It also sets out such procedural law issues as expedited preservation of stored
data, expedited preservation and partial disclosure of traffic data, production
order, search and seizure of computer data, real-time collection of traffic data,
and interception of content data. In addition, the Convention contains a provision
on a specific type of transborder access to stored computer data which does not
require mutual assistance (with consent or where publicly available) and provides
for the setting up of a 24/7 network for ensuring speedy assistance among the
Signatory Parties.

The Convention is the product of four years of work by European and

international experts. It has been supplemented by an Additional Protocol making
any publication of racist and xenophobic propaganda via computer networks a
criminal offence. Currently, cyber terrorism is also studied in the framework of the
Convention.

Accession by the United States[edit]

Its ratification by the United States Senate by unanimous consent in August 2006
was both praised and condemned.[7] The United States became the 16th nation to
ratify the convention.[8][9] The Convention entered into force in the United States
on 1 January 2007.

"While balancing civil liberty and privacy concerns, this treaty encourages the
sharing of critical electronic evidence among foreign countries so that law

58
enforcement can more effectively investigate and combat these crimes", said
Senate Majority Leader Bill Frist.[10]

"The Convention includes a list of crimes that each signatory state must
transpose into their own law. It requires the criminalization of such activities
as hacking (including the production, sale, or distribution of hacking tools) and
offenses relating to child pornography, and expands criminal liability for
intellectual property violations. It also requires each signatory state to implement
certain procedural mechanisms within their laws. For example, law enforcement
authorities must be granted the power to compel an Internet service provider to
monitor a person's activities online in real time. Finally, the Convention requires
signatory states to provide international cooperation to the widest extent possible
for investigations and proceedings concerning criminal offenses related to
computer systems and data, or for the collection of evidence in electronic form of
a criminal offense. Law enforcement agencies will have to assist police from
other participating countries to cooperate with their mutual assistance
requests".[11]

Although a common legal framework would eliminate jurisdictional hurdles to

facilitate the law enforcement of borderless cyber crimes, a complete realization
of a common legal framework may not be possible. Transposing Convention
provisions into domestic law is difficult especially if it requires the incorporation of
substantive expansions that run counter to constitutional principles. For instance,
the United States may not be able to criminalize all the offenses relating to child
pornography that are stated in the Convention, specifically the ban on virtual
child pornography, because of its First Amendment's free speech principles.
Under Article 9(2)(c) of the Convention, a ban on child pornography includes any
“realistic images representing a minor engaged in sexually explicit conduct”.
According to the Convention, the United States would have to adopt this ban on
virtual child pornography as well, however, the U.S. Supreme Court, in Ashcroft
v. Free Speech Coalition, struck down as unconstitutional a provision of the
CPPA that prohibited "any visual depiction” that "is, or appears to be, of a minor
engaging in sexually explicit conduct". In response to the rejection, the U.S.

59
Congress enacted the PROTECT Act to amend the provision, limiting the ban to
any visual depiction “that is, or is indistinguishable from, that of a minor engaging
in sexually explicit conduct”. 18 U.S.C

The United States will not become a Party to the Additional Protocol to the
Convention on Cybercrime.

Accession by other non–Council of Europe states[edit]

The Convention was signed by Canada, Japan, the United States, and South
Africa on 23 November 2001, in Budapest. As of February 2015, the non–Council
of Europe states that have ratified the treaty are Australia, Dominican Republic,
Japan, Mauritius, Panama, and the United States.

On 21 October 2013, in a press release, the Foreign Ministry of Colombia stated

that the Council of Europe had invited Colombia to adhere to the Convention of
Budapest.[12] Colombia has not acceded to the convention.

II) ICANN CORE PRINCIPLES AND

THE DOMAIN NAME DISPUTES
Domain Name Dispute Resolution Policies

The following policies apply to various types of disputes between

registrants and third parties over the registration and use of domain
names. Disputes under these policies may be filed with one of the
approved dispute-resolution service providers for the given policy.

The Uniform Domain-Name Dispute Resolution Policy (below) is

applicable across all gTLDs. Additional dispute resolution policies may
apply to specific circumstances only in individual TLDs. These are also
listed below.

60
Uniform Domain-Name Dispute Resolution Policy

The Uniform Domain-Name Dispute Resolution Policy (UDRP) has

been adopted by ICANN-accredited registrars in all gTLDs (.aero, .asia,
.biz, .cat, .com, .coop, .info, .jobs, .mobi, .museum, .name, .net,
.org, .pro, .tel and .travel). Dispute proceedings arising from alleged
abusive registrations of domain names (for example, cybersquatting)
may be initiated by a holder of trademark rights. The UDRP is a policy
between a registrar and its customer and is included in registration
agreements for all ICANN-accredited registrars.

 Uniform Domain Name Dispute Resolution Policy -- This policy

is followed by all registrars.

 Rules for Uniform Domain Name Dispute Resolution Policy --

These rules are followed by all dispute-resolution service
providers, with supplementation by each provider's
supplemental rules.

 List of Approved Dispute-Resolution Service Providers

 UDRP Historical Documents

Charter Eligibility Dispute Resolution Policy

The Charter Eligibility Dispute Resolution Policy (CEDRP) is followed by

the sponsored TLDs .aero, .coop, .museum, and .travel for challenges
to registration of a domain name on the grounds that the registrant does
not meet the eligibility requirements (set forth in the
sponsored TLD charter) for registration of a domain name in the

61
given TLD. Any person or entity may bring a challenge to a registered
name under the CEDRP.

 Charter Eligibility Dispute Resolution Policy

 Rules for Charter Eligibility Dispute Resolution Policy

 List of Approved Dispute Resolution Service Providers

Eligibility Reconsideration Policy

The Eligibility Reconsideration Policy (ERP) is incorporated in

agreements with registrants concerning domain name registrations in
.aero. It sets out the terms and conditions in connection with any
challenge to a decision by the sponsor concerning eligibility to register
in .aero. This policy was developed by the sponsor of .aero. It is not
an ICANN policy and is provided here for reference only. More
information can be found on the sponsor's website.

Eligibility Requirements Dispute Resolution Policy

The Eligibility Requirements Dispute Resolution Policy (ERDRP) is

followed by the unsponsored restricted TLD .name. Registrations in
.name must consist of an individual's own personal name or the
personal name of a fictional character (provided the registrant holds
trademark or service mark rights in that character's personal name).
Numeric characters may also be used in combination with either type of
personal name above. Challenges to a registration in .name on the
grounds that it does not meet the eligibility requirements are filed under
the ERDRP. Defensive registrations and second level domain e-mail
address registrations are also subject to challenge under the ERDRP.

62
Any person or entity may bring a challenge to a registration under the
ERDRP.

 Eligibility Requirements Dispute Resolution Policy

 Rules for Eligibility Requirements Dispute Resolution Policy

 List of Approved Dispute Resolution Service Providers

.ASIA Charter Eligibility Requirements Policy

The .ASIA Charter Eligibility Requirements Policy (.ASIA CERP) applies

to domain names registered in the .ASIA sponsored TLD. Registrations
in .ASIA are restricted to members of the Pan-Asia and Asia-Pacific
Internet community. Challenges to a registration in .ASIA on the
grounds that it does not meet the eligibility requirements are filed under
the CERP. Further information can be found on the .ASIA website.

.cat Eligibility Requirements Dispute Resolution Policy (Política de

Resolució de Conflictes sobre Requisits d'Admissibilitat del .cat)

The .cat Eligibility Requirements Dispute Resolution Policy (.cat

ERDRP) applies to domain names registered in the sponsored TLD .cat.
Registrations in .cat are restricted to members of the Catalan linguistic
and cultural community. Challenges to a registration in .cat on the
grounds that it does not meet the eligibility requirements are filed under
the ERDRP. Further information can be found on the .cat website.

Intellectual Property Defensive Registration Challenge Policy

63
The Intellectual Property Defensive Registration Challenge Policy
(IPDRCP) applies to intellectual property defensive registrations in
the .pro TLD, which is restricted to use by certified practicing members
of certain professions (currently the medical, legal, and accounting
professions). An intellectual property defensive registration may be
registered only by the owner of an eligible trademark or service mark
registration. The IPDRCP provides an avenue for challenges to
Intellectual Property Defensive Registrations concerning whether such
registrant meets the Registration Qualifications. Any person or entity
may initiate an IPDRCP proceeding by submitting a challenge in
accordance with the rules.

 Intellectual Property Defensive Registration Challenge Policy

 Rules for Intellectual Property Defensive Registration

Challenge Policy

 List of Approved Dispute Resolution Service Providers

Qualification Challenge Policy

The Qualification Challenge Policy (QCP) is followed by the

unsponsored restricted TLD .pro, which is limited to use by licensed
members of certain professions. Challenges to a registration on the
grounds that the registrant did not meet the registration qualifications
are filed under the QCP. A challenge to a registration under the
Qualification Challenge Policy may be brought by any interested party.

 Qualification Challenge Policy

 Rules for Qualification Challenge Policy

64
  List of Approved Dispute Resolution Service Providers

Restrictions Dispute Resolution Policy

The Restrictions Dispute Resolution Policy (RDRP) applies in the

unsponsored restricted TLD .biz. Registrations in the .biz TLD must be
used or intended to be used primarily for bona fide business or
commercial purposes. Challenges to a registration or use of a given
domain name on the grounds that it is not being or will not be used
primarily for a bona fide business or commercial purpose are filed under
the RDRP. Challenges under the RDRP may be initiated by any party
filing a complaint with an approved dispute resolution service provider.

 Restrictions Dispute Resolution Policy

 Supplemental RDRP Rules

 List of Approved Dispute Resolution Service Providers

Start-Up Trademark Opposition Policy

The Start-Up Trademark Opposition Policy (STOP) was available only

to intellectual property owners who enrolled in the IP Claim Service
during the Start-up phase of the .biz registry (June 25-September 21,
2001). STOP is no longer available as a dispute resolution policy for .biz
domain names. Disputes can be brought under the UDRP, RDRP or
available courts of law. For more information, see the registry operator's
site.

Sunrise Challenge Policy

65
The Sunrise Challenge Policy (SCP) was applied only during the
sunrise period for the .info TLD. Challenges under the Sunrise
Challenge Policy were administered by the registry operator (Afilias). As
the one hundred twenty (120) day sunrise period has closed, parties
disputing the validity of a sunrise registration may utilize the UDRP or
available courts of law. For more information, see theregistry operator's
site.

Transfer Dispute Resolution Policy

The Transfer Dispute Resolution Policy (TDRP) applies to transactions

in which a domain-name holder transfers or attempts to transfer a
domain name to a new registrar. The TDRP concerns registrar disputes
under the Inter-Registrar Transfer Policy, which is followed by the .biz,
.com, .info, .name, .net, .org, and .pro TLDs. Proceedings under
the TDRP may be filed with the appropriate registry operator or with an
independent dispute resolution provider. Any ICANN-accredited
registrar may initiate a TDRP proceeding against another registrar by
submitting a complaint in accordance with the selected registry operator
or dispute resolution providers' supplemental rules.

 Transfer Dispute Resolution Policy

 List of Approved Dispute Resolution Service Providers

Proceedings

ICANN does not maintain a current centralized index of domain name

dispute resolution proceedings. Search tools for UDRP proceedings can
be found at the individual dispute resolution proceedings sites

66
of ICANN's approved dispute-resolution service providers, which can be
found at the following link:

List of Approved Dispute Resolution Service Providers

Limited indexes of past UDRP proceedings are archived in the following

link:

Archived Indexes and Statistics for UDRP Proceedings

Approval Process for Dispute Resolution Service Providers

ICANN is not currently soliciting additional dispute resolution service

providers; however, interested parties may contact ICANN on an
individual basis to express their interest. The procedures used for
approving providers in the past are provided for reference below.

Organizations seeking provisional approval as service providers under

any of ICANN's dispute resolution policies should take the following
steps:

1. Become familiar with the relevant policy and associated rules.

2. Submit an application by email to (icann@icann.org) and by

postal mail:

Dispute Resolution Service Provider Applications

Internet Corporation for Assigned Names and Numbers
4676 Admiralty Way, Suite 330
Marina del Rey, CA 90292-6601 USA

67
Applications should contain:

1. An overview of the applicant's capabilities and background in

providing alternative dispute-resolution (ADR) services,
including a description of the applicant's track record of
handling the clerical aspects of expedited ADR proceedings.

2. A list of the names and qualifications of the panelists the

applicant proposes to include on its published list and a
description of the screening requirements applicant has used in
selecting panelists to be included on its list.

3. A description of training and educational measures the

applicant proposes to employ for listed panelists with respect to
domain-name disputes, the relevant policy, and the associated
Rules.

4. A commitment by the applicant not to prevent or discourage

any of its listed panelists from serving as panelists for domain-
name disputes administered by other approved providers.

5. A copy of the applicant's proposed supplemental rules

(including fee schedule).

6. Documentation of applicant's proposed internal operating

procedures. If requested, ICANNwill hold this documentation in
confidence.

7. A proposed schedule for applicant's implementation of its

program for administering proceedings under the policy,

68
 including a statement of applicant's administrative capacity in
terms of number of proceedings initiated on a monthly basis.

8. A statement of any requested limitations on the number of

proceedings that applicant handles, either during a start-up
period or on a permanent basis.

9. A description of how the applicant proposes to administer

proceedings, including its interactions with parties,
registrars, ICANN, and other approved providers.

10. Description of how the applicant intends to publish

decisions of panels in proceedings it administers and a
commitment to provide ICANN with copies of all portions of
decisions of panels not published.

In general, ICANN examines the applications to determine whether the

applicant has demonstrated its ability to handle proceedings in an
expedited, global, online context in an orderly and fair manner.
Attributes that are especially important include:

1. Applicant should have a track record in competently handling

the clerical aspects of ADRproceedings. ICANN considers
proper review of pleadings for administrative compliance and
reliable and well-documented distribution of documents to the
parties and panels to be essential capabilities for providers. In
the absence of a well-established track record in handling the
clerical function, a detailed plan for providing those abilities
ordinarily must be submitted.

69
2. Applicant should propose a list of highly qualified neutrals who
have agreed to serve as panelists. Applicant's list should
include at least twenty persons. Applicants are expected
thoroughly to train the listed neutrals concerning the policy and
rules, the technology of domain names, and the basic legal
principles applicable to domain-name disputes. Accordingly,
excessively long lists of neutrals are discouraged. The
applicant should either present a list of panelists from multiple
countries or, if the applicant initially presents a single-country
list, propose a plan to expand its list to become multinational.

3. Applicant's supplemental rules and internal procedures should

demonstrate that applicant understands the workings of the
policy and associated rules.

III) NET NEUTRALITY AND THE EU ELECTRONIC

COMMUNICATION REGULATORY FRAMEWORK

For the most part, the current Internet is open, the

whole Internet is available to anyone who connects to

it. The reason for this openness is that the network

itself is designed to be dumb, in that its job is to

route packets to their destination only. This design

feature is slowly changing as more and more

70
 intelligence is built into the network itself. The

principle of Net neutrality refers to the ability of

network operators to tamper with users’ connections,

prioritising some traffic over others. Such an action

would be against the Net neutrality principle.

This article looks at the European Union's regulatory

framework for electronic communications networks and

services and how this relates to the net neutrality

debate. It seeks to discover if the provisions which are

in place following the recent updating of the regime are

capable of protecting the current neutral Internet.

Net netrality law refers to laws and regulations which enforce the principle of net
neutrality.[1]

Opponents of net neutrality enforcement claim regulation is unnecessary,

because broadband service providers have no plans to block content or degrade
network performance.[2] Opponents of net neutrality regulation also argue that the
best solution to discrimination by broadband providers is to encourage greater
competition among such providers, which is currently limited in many areas. [3]

On 23 April 2014, the United States Federal Communications Commission (FCC)

is reported to be considering a new rule that will permit Internet service

71
providers to offer content providers a faster track to send content, thus reversing
their earlier position on net neutrality.[4][5][6] Municipal broadband could provide a
net neutral environment, according to Professor Susan Crawford, a legal and
technology expert at Harvard Law School.[7] On 15 May 2014, the FCC decided to
consider two options regarding Internet services: first, permit fast and slow
broadband lanes, thereby compromising net neutrality; and second, reclassify
broadband as a telecommunicationservice, thereby preserving net
neutrality.[8][9] On 10 November 2014, President Obamarecommended the FCC
reclassify broadband Internet service as a telecommunications service in order to
preserve net neutrality.[10][11] On 26 February 2015, the FCC ruled in favor of net
neutrality by reclassifying broadband access as a telecommunications service
and thus applyingTitle II (common carrier) of the

Common carrier[edit]
Main article: Common carrier

In common law countries, common carrier is a legal classification for a person or

company which transports goods and is legally prohibited from discriminating or
refusing service based on the customer or nature of the goods. The common
carrier framework is often used to classify public utilities, such as electricity or
water, and public transport. In the United States, there has been intense debate
between some advocates of net neutrality, who believe Internet providers should
be legally designated common carriers,[13] and some Internet service providers,
who believe the common carrier designation would be a heavy regulatory
burden.[14]

Historical precedent[edit]

The concept of network neutrality predates the current Internet-focused debate,

existing since the age of the telegraph.[15]In 1860, a U.S. federal law (Pacific
Telegraph Act of 1860) was passed to subsidize a telegraph line, stating that:

messages received from any individual, company, or corporation, or from any

telegraph lines connecting with this line at either of its termini, shall be impartially

72
transmitted in the order of their reception, excepting that the dispatches of the
government shall have priority ...

—An act to facilitate communication between the Atlantic and Pacific states by
electric telegraph, June 16, 1860.[16]

In 1888 Almon Brown Strowger, suspecting his loss of business was caused by a
nepotistic telephone operator redirecting his business calls to a competitor,
invented an electromechanical-based automatic telephone exchange that
effectively removed human interference of telephone calls.[15]

Degrees of enforcement[edit]
Full neutrality[edit]

Chile became the first country in the world to pass net neutrality legislation in
2010.[17] The laws adopted there prohibit organizations such
as Facebook and Wikipedia from subsidizing mobile data usage of
consumers.[18] The adoption of net neutrality law usually includes allowance for
discrimination in limited conditions, such as preventing spam, malware, or illegal
content. The law in Chile allows exceptions for ensuring privacy and
security.[17] The law in the Netherlands, allows exceptions for congestion, security,
spam, or legal reasons.

Cardozo Law School professor Susan P. Crawford believes that in a neutral

Internet, packets on the network must be forwarded on a first-come, first-served
basis, with no consideration given to quality-of-service concerns.[19]

A number of net neutrality interest groups have emerged,

including SaveTheInternet.com which frames net neutrality as an absence of
discrimination, saying it ensures Internet providers cannot block, speed up, or
slow down content on the basis of who owns it, where it came from, or where it's
going. It helps create the situation where any site on the Internet could potentially
reach an audience as large as that of a TV or radio station, and its loss would
mean the end for this level of freedom of expression.[20]

73
Only allow discrimination based on type of data[edit]

Eric Schmidt

Columbia University Law School professor Tim Wu observed the Internet is not
neutral in terms of its impact on applications having different requirements. It is
more beneficial for data applications than for applications that require
low latencyand low jitter, such as voice and real-time video. He explains that
looking at the full spectrum of applications, including both those that are sensitive
to network latency and those that are not, the IP suite isn't actually neutral. He
has proposed regulations on Internet access networks that define net neutrality
as equal treatment among similar applications, rather than neutral transmissions
regardless of applications. He proposes allowing broadband operators to make
reasonable trade-offs between the requirements of different applications, while
regulators carefully scrutinize network operator behavior where local networks
interconnect.[21] However, it is important to ensure that these trade-offs among
different applications be done transparently so that the public will have input on
important policy decisions.[22] This is especially important as the broadband
operators often provide competing services—e.g., cable TV, telephony—that
might differentially benefit when the need to manage applications could be
invoked to disadvantage other competitors.

The proposal of Google and Verizon would allow discrimination based on the
type of data, but would prohibit ISPs from targeting individual organizations or
websites:[23] Google CEO Eric Schmidt explains Google's definition of Net
neutrality as follows: if the data in question is video, for example, then there is no
discrimination between one purveyor's data versus that of another. However,
discrimination between different types of data is allowed, so that voice data could
be given higher priority than video data. On this, both Verizon and Google are
agreed.[24]

Individual prioritization without throttling or blocking[edit]

74
Some opponents of net neutrality argue that under the ISP market competition,
paid-prioritization of bandwidth can induce optimal user welfare. [25] Although net
neutrality might protect user welfare when the market lacks competition, they
argue that a better alternative could be to introduce a neutral public option to
incentivize competition, rather than enforcing existing ISPs to be neutral.

Some ISPs, such as Comcast, oppose blocking or throttling, but have argued
that they are allowed to charge websites for faster data delivery.[26] AT&T has
made a broad commitment to net neutrality, but has also argued for their right to
offer websites paid prioritization[27][28][29] and in favor of its current sponsored data
agreements.[30]

No direct enforcement[edit]

While many countries lack legislation directly addressing net neutrality, net
neutrality can sometimes be enforced based on other laws, such as those
preventing anti-competitive practices. This is currently the approach of the US
FCC, which justifies their enforcement based on compliance with "commercially
reasonable" practices.[31]

In the United States, author Andy Kessler argued in The Weekly Standard that,
though network neutrality is desirable, the threat of eminent domain against the
telecommunication companies, instead of new legislation, is the best approach. [32]

In 2011, Aparna Watal of Attomic Labs said that there had been few violations of
net neutrality. She argues that transparency, threat of public backlash, and the
FCC's current authority was enough to solve the issues of net neutrality, claiming
that the threat of consumers switching providers and the high cost of maintaining
a non-neutral network will deter bad practices.[33]

The Wall Street Journal has written about the government's responsibility being
more along the lines of making sure consumers have the ability to find another
Internet provider if they are not satisfied with their service, as opposed to
determining how Internet providers should go about managing their networks.[34]

European Union[edit]

75
EU parliament[edit]

The 2002 regulatory framework for electronic communications networks and

services in the European Union consisted of five directives, which are referred to
as "the Framework Directive and the Specific Directives":[citation needed]

 Access Directive (Directive 2002/19/EC)

 Authorization Directive (Directive 2002/20/EC)
 Framework Directive (Directive 2002/21/EC)
 Universal Service Directive (Directive 2002/22/EC)
 Directive on privacy and electronic communications (Directive 2002/58/EC)

When the European Commission consulted on the updating of the Framework

Directive and the Specific Directives in November 2007, it examined the possible
need for legislation to mandate network neutrality, countering the potential
damage, if any, caused by non-neutral broadband access. The European
Commission stated that prioritisation "is generally considered to be beneficial for
the market so long as users have choice to access the transmission capabilities
and the services they want" and "consequently, the current EU rules allow
operators to offer different services to different customers groups, but not allow
those who are in a dominant position to discriminate in an anti-competitive
manner between customers in similar circumstances".[35] However, the European
Commission highlighted that Europe's current legal framework cannot effectively
prevent network operators from degrading their customers' services. Therefore,
the European Commission proposed that it should be empowered to impose a
minimum quality of services requirements.[36] In addition, an obligation of
transparency was proposed to limit network operators' ability to set up restrictions
on end-users' choice of lawful content and applications.[37]

On 19 December 2009, the so-called "Telecoms Package" came into force and
EU member states were required to implement the Directive by May
2011.[38][39] According to the European Commission the new transparency
requirements in the Telecoms Package would mean that "consumers will be

76
informed—even before signing a contract—about the nature of the service to
which they are subscribing, including traffic management techniques and their
impact on service quality, as well as any other limitations (such as bandwidth
caps or available connection speed)".[39] Regulation (EC) No 1211/2009 of the
European Parliament and of the Council of 25 November 2009 established the
Body of European Regulators for Electronic Communications (BEREC) and the
Office[40] Body of European Regulators of Electronic Communications. BEREC's
main purpose is to promote cooperation between national regulatory authorities,
ensuring a consistent application of the EU regulatory framework for electronic
communications.[41]

By individual country[edit]
See also: Net neutrality in the Netherlands

Since March 2009 in Italy, there is a bill called: Proposta di legge dei senatori
Vincenzo VITA (PD) e Luigi Vimercati (PD)"Neutralita' Delle Reti, Free Software
E Societa' Dell'informazione".[42] Senator Vimercati in an interview said that he
wants "to do something for the network neutrality" and that he was inspired by
Lawrence Lessig, Professor at the Stanford Law School. Vimercati said that the
topic is very hard, but in the article 3 there is a reference to the concept of
neutrality regard the contents. It is also a problem of transparency and for the
mobile connections: we need the minimum bandwidth to guarantee the service.
We need some principle to defend the consumers. It's important that the
consumer has been informed if he could not access all the Internet. The bill
refuses all the discrimination: related by the content, the service and the device.
The bill is generally about Internet ("a statute for the Internet") and treat different
topics like network neutrality, free software, giving an Internet access to
everyone.

In June 2011, the majority of the Dutch lower house voted for new net neutrality
laws which prohibits the blocking of Internet services, usage of deep packet
inspection to track customer behaviour and otherwise filtering or manipulating

77
network traffic.[43] The legislation applies to any telecommunications provider and
was formally ratified by the Dutch senate on 8 May 2012.[44][45]

In Belgium, net neutrality was discussed in the parliament in June 2011. Three
parties (CD&V, N-VA & PS) jointly proposed a text to introduce the concept of net
neutrality in the telecom law.[46]

In France, on 12 April 2011, the Commission for economic affairs of the French
parliament approved the report of MP Laure de La Raudière (UMP). The report
contains[47] 9 proposals. Propositions n°1 & 2 act on net neutrality.

In Slovenia, with 1 January 2013 there is a new telecommunication law in effect

which explicitly defines and requires net neutrality from telecommunication
operators. Net neutrality is defined as a principle that every Internet traffic on a
public communication network is dealt with equally, independent of content,
applications, services, devices, source and destination of the communication. [48]

Israel[edit]

In 2011, Israel's parliament passed a law requiring net neutrality in mobile

broadband. These requirements were extended to wireline providers in an
amendment to the law passed on February 10, 2014. The law contains an
exception for reasonable network management, and is vague on a number of
issues such as data caps, tiered pricing, paid prioritization and paid peering. [49]

There is ongoing legal and political wrangling in the U.S. regarding net neutrality.
The United States Federal Communications Commission is in charge of
regulating Internet service providers' conduct in the US, though the extent of its
jurisdiction is subject to ongoing legal disputes.[50]

US FCC policy (2010-present)[edit]

Under commission chairman Julius Genachowski, the FCC proposed

reclassifying broadband Internet access providers under the provisions of Title 2
of the Communications Act in an effort to force the providers to adhere to the
same rules as telephone networks. This adjustment was meant to prevent,
"unjust or unreasonable discrimination in charges, practices, classifications,

78
regulations, facilities or services".[51] On 21 December 2010, these changes were
put into effect by the FCC Open Internet Order 2010, which banned cable
television and telephone service providers from preventing access to competitors
or certain web sites such as Netflix. The rules also include a more limited set of
obligations for wireless providers. The rules would not keep ISPs from charging
more for faster access. Republicans in Congress threatened to reverse the rules
through legislation.[52]

On 23 September 2011, the FCC released its final rules for Preserving a Free
and Open Internet. These rules state that providers must have transparency of
network management practices, not block lawful content, nor unreasonably
discriminate in transmitting lawful network traffic.[53] These rules are effective 20
November 2011.

On 14 January 2014, the DC Circuit Court determined in Verizon

Communications Inc. v. Federal Communications Commission (2014) that the
FCC has no authority to enforce Network Neutrality rules, as service providers
are not identified as "common carriers".[54] Since the 14 January ruling, AT&T has
submitted several patents [55] that account for specific ways to take advantage of
the FCC's limited authority. Verizon is also under a mountain of allegations that
they have been slowing access to both Netflix and to the Amazon Cloud
services, although the company denies these allegations. Multiple independent
sources have performed network speed analysis and do find slower connection
times to these sites, although there is currently no proof that Verizon is
purposefully causing these slowdowns.

Proposed 2014 US FCC policy[edit]

On 19 February 2014 the FCC announced plans to formulate new rules to

enforce net neutrality while complying with the court rulings.[56] On 23 April 2014,
in a press statement, the Federal Communications Commission announced their
new proposed rules which would allow Broadband Internet service providers,
such as Comcast and Verizon, the "right to build special lanes" with faster
connection speeds for companies, such as Netflix, Disney or Google, willing to

79
pay a higher price. Their customers would have preferential access.[4][5][57][58] On 15
May the FCC launched a public comment period on how FCC rulemaking could
best protect and promote an open Internet,[59] garnering over one million
responses—the most the FCC had ever received for rulemaking.[60]

The new proposed rules have received heavy criticisms, with many claiming they
are ruining the internet. Opponents of the rules declared September 10, 2014 to
be the "Internet Slowdown". On it, participating websites were purposely slowed
down to show what they feel would happen if the new rules took effect. Websites
that participated in the Internet Slowdown
include: Netflix, Reddit, Tumblr, Twitter, Vimeo and Kickstarter.[61][62][63][64][65][66][67]

On 26 February 2015, the FCC ruled in favor of net neutrality by reclassifying

broadband access as a telecommunications service and thus applying Title II
(common carrier) of the Communications Act of 1934 to internet service
providers.[12][68][69][70]

Russian Federation[edit]

Since September 2007, the Russian government's Resolution No 575 introduces

new regulation rules of telematics services. Network operators (ISPs) can now
legally limit individual actions of the subscriber's network activity, if such actions
threaten the normal functioning of the network. ISPs are obliged to exclude the
possibility of access to information systems, network addresses, or uniform
pointers which a subscriber informs the operator of communication in the form
specified in the contract. The subscriber is obliged to take actions to protect the
subscriber terminal from the impact of malicious software and to prevent the
spread of spam and malicious software to its subscriber terminal. In reality, most
Russian ISPs shape the traffic of P2P protocols (like BitTorrent) with lower
priority (P2P is about of 80% of traffic there). Also, there is popular method,
called retracker,[71][72] for redirecting some BitTorrent traffic to the ISP's cache
servers and other subscribers inside of a metropolitan area network (MAN).
Access to MANs is usually with greater speed (2x–1000x or more, specified in
the contract) and better quality than the rest of the Internet.

80
South America[edit]

On 13 June 2010, the National Congress of Chile, amended its

telecommunications law in order to preserve network neutrality, becoming the
first country in the world to do so.[73][74] This came after an intensive campaign
on blogs, Twitter, and other social networks.[75] The law, published on 26 August
2010, added three articles to the General Law of Telecommunications, forbidding
ISPs from arbitrarily blocking, interfering with, discriminating, hindering or
restricting an Internet user's right to use, send, receive or offer any legal content,
application, service or any other type of legal activity or use through the Internet.
To that effect ISPs must offer Internet access in which content is not arbitrarily
treated differently based on its source or ownership.[76]

In 2014, the Brazilian government passed a law which expressly upholds net
neutrality, "guaranteeing equal access to the Internet and protecting the privacy
of its users in the wake of U.S. spying revelations".[77]

East Asia[edit]

Net neutrality in the common carrier sense has been instantiated into law in
many countries, including Japan.[78] In Japan, the nation's largest phone
company, Nippon Telegraph and Telephone, operates a service called Flet's
Square over theirFTTH high speed Internet connections. In South Korea, VoIP is
blocked on high-speed FTTH networks except where the network operator is the
service provider.[79]

According to Thomas Lum, a specialist in Asian Affairs: "Since its founding in

1949, the People's Republic of China (PRC) has exerted great effort in
manipulating the flow of information and prohibiting the dissemination of
viewpoints that criticize the government or stray from the official Communist party
view. The introduction of Internet technology in the mid-1990s presented a
challenge to government control over news sources, and by extension, over
public opinion. While the Internet has developed rapidly, broadened access to
news, and facilitated mass communications in China, many forms of expression

81
online, as in other mass media, are still significantly stifled. Empirical studies
have found that China has one of the most sophisticated content-filtering Internet
regimes in the world. The Chinese government employs increasingly
sophisticated methods to limit content online, including a combination of legal
regulation, surveillance, and punishment to promote self-censorship, as well as
technical controls."[80]

Concerns with regulation[edit]

Potential for government abuse[edit]

George Mason University fellow Adam Thierer has argued that "any government
agency or process big enough to control a major sector of our economy will be
prone to influence by those most affected by it", and that consequently "for all the
talk we hear about how the FCC's move to impose Net Neutrality regulation is
about 'putting consumers first' or 'preserving Net freedom and openness,' it's
difficult to ignore the small armies of special interests who stand ready to exploit
this new regulatory regime the same way they did telecom and broadcast
industry regulation during decades past."[81]

Grant Babcock, in the libertarian magazine Reason, wrote in 2014 that U.S.
government oversight of ISPs could allow government agencies like the NSA to
pressure ISPs into handing over private communication data on their users. He
noted that there was a history of U.S. governmental abuse of regulation,
including the Federal Reserve forcing some banks in 2008 to accept Troubled
Asset Relief Program funding by threatening to use their regulatory powers
against non-compliant banks.[82]

Violation of corporate rights[edit]

One concern of many Internet service providers is government enforcement of

information anti-discrimination. Arguing that such enforcement is an infringement
on the freedoms of their businesses, American ISPs such as Verizon have
argued that the FCC forcing anti-discrimination policies on information flowing

82
over company networks is a violation of the ISPs constitutional rights, specifically
concerning the First Amendment and Fifth Amendment in a court
case challenging theOpen Internet Order.[83]

Verizon challenged the Open Internet Order on several grounds, including that
the Commission lacked affirmative statutory authority to promulgate the rules,
that its decision to impose the rules was arbitrary and capricious, and that the
rules contravened statutory provisions prohibiting the Commission from treating
broadband providers as common carriers.[84]

Potential for banning legitimate activity[edit]

Poorly conceived legislation could make it difficult for Internet Service

Providers to legally perform necessary and generally useful packet filtering such
as combating denial of service attacks, filtering E-Mail spam, and preventing the
spread of computer viruses. Quoting Bram Cohen, the creator of BitTorrent, "I
most definitely do not want the Internet to become like television where there's
actual censorship...however it is very difficult to actually create network neutrality
laws which don't result in an absurdity like making it so that ISPs can't drop spam
or stop...attacks".[85]

Some pieces of legislation, like The Internet Freedom Preservation Act of 2009,
attempt to mitigate these concerns by excluding reasonable network
management from regulation.[86]

IV) WEB CONTENT ACCESSIBLITY GUIDELINES

(WCAG)2.0

Web Content Accessibility Guidelines (WCAG) is developed through theW3C

process in cooperation with individuals and organizations around the world,
with a goal of proving a single shared standard for web content accessibility
that meets the needs of individuals, organizations, and governments
internationally.

83
The WCAG documents explain how to make web content more accessible to
people with disabilities. Web "content" generally refers to the information
in a web page or web application, including:

 natural information such as text, images, and sounds

 code or markup that defines structure, presentation, etc.

Who WCAG is for

WCAG is primarily intended for:

 Web content developers (page authors, site designers, etc.)

 Web authoring tool developers
 Web accessibility evaluation tool developers
 Others who want or need a standard for web accessibility

Related resources are intended to meet the needs of many different people,
including policy makers, managers, researchers, and others.

WCAG is a technical standard, not an introduction to accessibility. For

introductory material, see Where should I start? in the FAQ.

What is in WCAG 2.0

WCAG 2.0 is a stable, referenceable technical standard. It has 12 guidelines

that are organized under 4 principles: perceivable, operable,
understandable, and robust. For each guideline, there are testablesuccess
criteria, which are at three levels: A, AA, and AAA.

For a short summary of the WCAG 2.0 guidelines, see WCAG 2.0 at a
Glance.

84
To learn about web accessibility principles and guidelines, see Accessibility
Principles.

The WCAG 2.0 supporting technical materials include:

 How to Meet WCAG 2.0: A customizable quick reference to Web

Content Accessibility Guidelines 2.0 requirements (success criteria)
and techniques is essentially the WCAG 2.0 checklist. Most people use
this quick references as the main resource for working with WCAG.

 Techniques for WCAG 2.0 gives you specific details on how to

develop accessible Web content, such as HTML code examples. The
techniques are "informative", that is, you do not have to use them.
The basis for determining conformance to WCAG 2.0 is the success
criteria from the WCAG 2.0 standard, not the techniques. Read more
in Techniques in the FAQ.

 Understanding WCAG 2.0 has additional guidance on learning and

implementing WCAG 2.0 for people who want to understand the
guidelines and success criteria more thoroughly.

For more details on how these document are related and how they are
linked, see The WCAG 2.0 Documents.

Technical document format

The WCAG, Techniques, and Understanding documents follow

the W3C format for technical reports, which has several sections at the
beginning, including links to different versions, editors, abstract, and
status.

Additional support material in progress

85
WAI is planning additional material to help web developers develop
accessible web content that conforms to WCAG 2.0. In 2012 we plan to
develop "Application Notes" (working title) to provide guidance for specific
topics, such as images, links, or tables. For example, an Application Note on
forms would start with simple examples and include the WCAG 2.0 success
criteria, techniques, and strategies for developing accessible forms.

WCAG 2.0 is ISO/IEC 40500

WCAG 2.0 is approved as an ISO standard: ISO/IEC 40500:2012. ISO/IEC

40500 is exactly the same as the original WCAG 2.0, which is introduced
above along with supporting resources.

The content of ISO/IEC 40500 is freely available

from www.w3.org/TR/WCAG20; it is available for purchase from the ISO
catalogue.

Benefits of WCAG 2.0 as an ISO standard are summarized in ISO in the FAQ.
More information on W3C and the ISO process is in the W3C PAS FAQ.

WCAG with other guidelines

WCAG is part of a series of accessibility guidelines, including the Authoring

Tool Accessibility Guidelines (ATAG) and the User Agent Accessibility
Guidelines (UAAG). Essential Components of Web Accessibilityexplains the
relationship between the different guidelines.

Who develops WCAG

The WCAG technical documents are developed by the Web Content

Accessibility Guidelines Working Group (WCAG WG), which is part of the
World Wide Web Consortium (W3C) Web Accessibility Initiative (WAI).

86
 WAI updates Techniques for WCAG 2.0 and Understanding WCAG 2.0
periodically. We welcome commentsand submission of new techniques.

Opportunities for contributing to WCAG and other WAI work are introduced
in Participating in WAI.

MODULE IV

CYBER LAW : CONTEMPORARY TRENDS

I) IMPACT OF CYBER WARFARE ON

PRIVACY, IDENTITY THEFT
Alternate title: computer crime
TABLE OF CONTENTS
 Introduction
 Defining cybercrime
 Types of cybercrime

Identity theft and invasion of privacy

Cybercrime affects both a virtual and a real body, but the effects upon
each are different. This phenomenon is clearest in the case of identity
theft. In the United States, for example, individuals do not have an

87
official identity card but a Social Security number that has long served
as a de facto identification number. Taxes are collected on the basis of
each citizen’s Social Security number, and many private institutions use
the number to keep track of their employees, students, and patients.
Access to an individual’s Social Security number affords the opportunity
to gather all the documents related to that person’s citizenship—i.e., to
steal his identity. Even stolen credit card information can be used to
reconstruct an individual’s identity. When criminals steal a firm’s credit
card records, they produce two distinct effects. First, they make off with
digital information about individuals that is useful in many ways. For
example, they might use the credit card information to run up huge bills,
forcing the credit card firms to suffer large losses, or they might sell the
information to others who can use it in a similar fashion. Second, they
might use individual credit card names and numbers to create new
identities for other criminals. For example, a criminal might contact the
issuing bank of a stolen credit card and change the mailing address on
the account. Next, the criminal may get a passport or driver’s license
with his own picture but with the victim’s name. With a driver’s license,
the criminal can easily acquire a new Social Security card; it is then
possible to open bank accounts and receive loans—all with the victim’s
credit record and background. The original cardholder might remain
unaware of this until the debt is so great that the bank contacts the
account holder. Only then does the identity theft become visible.
Although identity theft takes places in many countries, researchers and
law-enforcement officials are plagued by a lack of information and
statistics about the crime worldwide. Interpol, the international policing
agency, has not added any type of cybercrime, including identity theft,

88
to its annual crime statistics. Cybercrime is clearly, however, an
international problem.
In 2003 the U.S. Federal Trade Commission (FTC) released the first
national survey on identity theft; according to the report, in the previous
year 3.3 million Americans had their identities fraudulently used to open
bank, credit card, or utility accounts, with losses of $32.9 billion to
businesses and $3.8 billion to individuals. The report also stated that
another 6.6 million Americans were victimized by account theft, such as
use of stolen credit cards and automatic teller machine (ATM) cards,
with losses of $14 billion to businesses and $1.1 billion to individuals.
The annual FTC reports show that while the total number of identity
theft victims in the United States has declined by about 500,000 in each
subsequent year, the average loss incurred by individuals and
businesses per incident has grown enough to keep the total losses near
$50 billion every year.

Internet fraud
Schemes to defraud consumers abound on the Internet. Among the
most famous is theNigerian, or “419,” scam; the number is a reference
to the section of Nigerian law that the scam violates. Although this con
has been used with both fax and traditional mail, it has been given new
life by the Internet. In the scheme, an individual receives an e-
mailasserting that the sender requires help in transferring a large sum of
money out of Nigeria or another distant country. Usually, this money is
in the form of an asset that is going to be sold, such as oil, or a large
amount of cash that requires “laundering” to conceal its source; the
variations are endless, and new specifics are constantly being
developed. The message asks the recipient to cover some cost of

89
moving the funds out of the country in return for receiving a much larger
sum of money in the near future. Should the recipient respond with a
check or money order, he is told that complications have developed;
more money is required. Over time, victims can lose thousands of
dollars that are utterly unrecoverable.
In 2002 the newly formed U.S. Internet Crime Complaint Center
reported that more than $54 million dollars had been lost through a
variety of fraud schemes; this represented a threefold increase over
estimated losses of $17 million in 2001. The annual losses grew in
subsequent years, reaching $125 million in 2003, about $200 million in
2006, and close to $250 million in 2008. In the United States, the largest
source of fraud continues to be online auctions. In many cases,
individuals put products up for sale on Internet auction sites, demand
money before delivery, and never fulfill their obligations to the
consumer. Such scams account for about half of the fraud cases each
year. Unlike identity theft, where the theft occurs without the victim’s
knowledge, these more traditional forms of fraud occur in plain sight.
The victim willingly provides private information that enables the crime;
hence, these are transactional crimes. Few people would believe
someone who walked up to them on the street and promised them easy
riches; however, receiving an unsolicited e-mail or visiting a random
Web page is sufficiently different that many people easily open their
wallets. Despite a vast amount of consumer education, Internet fraud
remains a growth industry for criminals and prosecutors. Europe and the
United States are far from the only sites of cybercrime. South Korea is
among the most wired countries in the world, and its cybercrime fraud
statistics are growing at an alarming rate. Japan has also experienced a
rapid growth in similar crimes.

90
 II) INTERNATIONAL LAW GOVERNING

CENSORSHIP,ONLINE PRIVACY, COPYRIGHT

REGULATIONS

Internet censorship in the United States

From Wikipedia, the free encyclopedia

Internet censorship in the United States is the suppression of information published or

viewed on the Internet in the United States. The protection of freedom of speech and
expression against federal, state, and local government censorship are rooted in the First
Amendment of the United States Constitution. These protections extend to the Internet and
as a result very little government mandated technical filtering occurs in the U.S.

However, in 2014, the United States was added to Reporters Without Borders's (RWB's) list
of "Enemies of the Internet", a category of countries with the highest level of Internet
censorship and surveillance. RWB stated that the U.S. "… has undermined confidence in the
Internet and its own standards of security" and that "U.S. surveillance practices and
decryption activities are a direct threat to investigative journalists, especially those who work
with sensitive sources for whom confidentiality is paramount and who are already under
pressure."[1]

Overview[edit]
The strong protections for freedom of speech and expression against federal, state, and local
government censorship are rooted in the First Amendment of the United States Constitution.
These protections extend to the Internet and as a result very little government mandated
technical filtering occurs in the U.S. Nevertheless, the Internet in the United States is highly

91
regulated, supported by a complex set of legally binding and privately mediated
mechanisms.[2]

After a decade and half of ongoing contentious debate over content regulation, the country is
still very far from reaching political consensus on the acceptable limits of free speech and the
best means of protecting minors and policing illegal activity on the Internet. Gambling, cyber
security, and dangers to children who frequent social networking sites are important ongoing
debates. Significant public resistance to proposed content restriction policies have prevented
the more extreme measures used in some other countries from taking hold in the U.S.[2]

Public dialogue, legislative debate, and judicial review have produced filtering strategies in
the United States that are different from those found in most of the rest of the world. Many
government-mandated attempts to regulate content have been barred on First Amendment
grounds, often after lengthy legal battles.[3] However, the government has been able to exert
pressure indirectly where it cannot directly censor. With the exception of child pornography,
content restrictions tend to rely more on the removal of content than blocking; most often
these controls rely upon the involvement of private parties, backed by state encouragement
or the threat of legal action.[4] In contrast to much of the rest of the world, where ISPs are
subject to state mandates, most content regulation in the United States occurs at the private
or voluntary level.[2]

The first wave of regulatory actions in the 1990s in the United States came about in
response to the profusion of sexually explicit material on the Internet within easy reach of
minors. Since that time, several legislative attempts at creating a mandatory system of
content controls in the United States have failed to produce a comprehensive solution for
those pushing for tighter controls. At the same time, the legislative attempts to control the
distribution of socially objectionable material on the Internet in the United States have given
rise to a robust system that limits liability over content for Internet intermediaries such as
Internet service providers (ISPs) and content hosting companies.[2]

Proponents of protecting intellectual property online in the United States have been much
more successful, producing a system to remove infringing materials that many feel errs on
the side of inhibiting legally protected speech.[2][5] The US practices forceful seizures of
domains and computers, at times without notification, causing the websites to be unable to
continue operating. Some high-profile cases are Napster, Wikileaks, PirateBay, and
MegaUpload.[citation needed]

National security concerns have spurred efforts to expand surveillance of digital

communications and fueled proposals for making Internet communication more traceable.[2]

92
Federal laws[edit]
With a few exceptions, the free speech provisions of the First Amendment bar federal, state,
and local governments from directly censoring the Internet. The primary exception has to do
with obscenity, including child pornography, which does not enjoy First Amendment
protection.[6]

Communications Decency Act (CDA)[edit]

In 1996, the United States enacted the Communications Decency Act (CDA), which
attempted to regulate both indecency(when available to children) and obscenity
in cyberspace.[7] In 1997, in the case of Reno v. ACLU, the United States Supreme
Court found the anti-indecency provisions of the Act unconstitutional.[8] Writing for the Court,
Justice John Paul Stevens held that "the CDA places an unacceptably heavy burden on
protected speech".[9]

Section 230[10] is a separate portion of the CDA that remains in effect. Section 230 says that
operators of Internet services are not legally liable for the words of third parties who use their
services and also protects ISPs from liability for good faith voluntary actions taken to restrict
access to certain offensive materials[11] or giving others the technical means to restrict access
to that material.

Child Online Protection Act (COPA)[edit]

In 1998, the United States enacted the Child Online Protection Act[12] (COPA) to restrict
access by minors to any material defined as harmful to such minors on the Internet. The law
was found to be unconstitutional because it would hinder protected speech among adults. It
never took effect, as three separate rounds of litigation led to a permanent injunction against
the law in 2009.[13][14][15]

Digital Millennium Copyright Act (DMCA)[edit]

Signed into law in 1998, the Digital Millennium Copyright Act (DMCA, 17 U.S.C. § 1201)
criminalizes the discussion and dissemination of technology that could be used to circumvent
copyright protection mechanisms[5] and makes it easier to act against alleged copyright
infringement on the Internet.[16] The Online Copyright Infringement Liability Limitation
Act(OCILLA) is included as Title II of the DMCA[17] and limits the liability of the on-line service
providers for copyright infringement by their users.[18]

Children's Online Privacy Protection Act (COPPA) [edit]

93
The Children's Online Privacy Protection Act (COPPA) went into effect on 21 April 2000.[19] It
applies to the online collection of personal information by persons or entities under U.S.
jurisdiction from children under 13 years of age and details what a website operator must
include in a privacy policy, when and how to seek verifiable consent from a parent or
guardian, and what responsibilities an operator has to protect children's privacy and safety
online including restrictions on the marketing to those under 13.[20] While children under 13
can legally give out personal information with their parents' permission, many websites
disallow underage children from using their services altogether due to the amount of
paperwork and cash involved for the compliance. Similarly, public perception claims that the
law was intended to protect children frompedophiles than unintended marketing practices.

Children's Internet Protection Act (CIPA)[edit]

On December 21, 2000 the Children's Internet Protection Act (CIPA)[21] was signed into law.

CIPA requires K-12 schools and libraries receiving federal Universal Service Fund (E-rate)
discounts or LSTA grants for Internet access or internal connections to:[22]

 adopt and implement an Internet safety policy addressing: (a) access by minors to
inappropriate matter on the Internet; (b) the safety and security of minors when
using electronic mail, chat rooms, and other forms of direct electronic communications;
(c) unauthorized access, including so-called “hacking,” and other unlawful activities by
minors online; (d) unauthorized disclosure, use, and dissemination of personal
information regarding minors; and (e) measures restricting minors’ access to materials
harmful to them;
 install internet filters or blocking software that prevents access to pictures that are:
(a) obscene, (b) child pornography, or (c) harmful to minors (for computers that are
accessed by minors);
 to allow the filtering or blocking to be disabled upon the request of an adult; and
 adopt and enforce a policy to monitor the online activities of minors.

CIPA does not:[22]

 require the tracking of Internet use by minors or adults; or

 affect E-rate funding for schools and libraries receiving discounts for telecommunications
services, such as telephone service, but not for Internet access or internal connections.

Trading with the Enemy Act[edit]

94
In March 2008, the New York Times reported that a blacklist published by the Office of
Foreign Assets Control (OFAC), an agency established under the Trading with the Enemy
Act 1917 and other federal legislation, included a number of websites, so that U.S.
companies are prohibited from doing business with those websites and must freeze their
assets. The blacklist has the effect that domain name registrars based in the U.S. must block
those websites. According to the New York Times, eNom, a private domain name registrar
and Web hosting company operating in the U.S., disables domain names which appear on
the blacklist.[23] It describes eNom’s disabling of a European travel agent’s Web sites
advertising travel to Cuba, which appeared on the list[24] published by OFAC. According to
the report, the U.S. government claimed that eNom was "legally required" to block the
websites under U.S. law, even though the websites were not hosted in the U.S., were not
targeted at U.S. persons and were legal under foreign law.

Proposed federal legislation that has not become law[edit]

Deleting Online Predators Act (DOPA)[edit]

The Deleting Online Predators Act of 2006 was introduced, but did not become law.[25] Two
similar bills were introduced in 2007, but neither became law.[26][27]

The proposed legislation would have required schools, some businesses, and libraries to
block minors' access to social networking websites. The bill was controversial because,
according to its critics, it would limit access to a wide range of websites, including many with
harmless and educational material.

Protecting Cyberspace as a National Asset Act [edit]

The Protecting Cyberspace as a National Asset Act was introduced in 2010, but did not
become law.[28]

The proposed Act caused controversy for what critics perceived as its authorization for the
U.S. President to apply a full block of the Internet in the U.S.[29]

A new bill, the Executive Cyberspace Coordination Act of 2011, was under consideration by
the U.S. Congress in 2011.[30]The new bill addresses many of the same issues as, but takes
quite a different approach from the Protecting Cyberspace as a National Asset Act.

Combating Online Infringement and Counterfeits Act (COICA)[edit]

The Combating Online Infringement and Counterfeits Act was introduced in September
2010, but did not become law.[31]

95
The proposed Act would have allowed the U.S. Attorney General to bring an in rem action
against an infringing domain name in United States District Court, and seek an order
requesting injunctive relief. If granted, such an order would compel the registrar of the
domain name in question to suspend operation of, and may lock, the domain name.[31]

The U.S. Justice Department would maintain two publicly available lists of domain
names.[31] The first list would contain domain names against which the Attorney General has
obtained injunctions. The second list would contain domainsalleged by the Justice
Department to be infringing, but against which no action had been taken. Any service
provider who willingly took steps to block access to sites on this second list would immune
from prosecution under the bill.

Stop Online Piracy Act (SOPA)[edit]

The Stop Online Piracy Act (SOPA), also known as H.R. 3261, is a bill that was introduced in
the United States House of Representatives on October 26, 2011, by Representative Lamar
Smith (R-TX) and a bipartisan group of 12 initial co-sponsors. The originally proposed bill
would allow the U.S. Department of Justice, as well as copyright holders, to seek court
orders against websites accused of enabling or facilitating copyright infringement. Depending
on who requests the court orders, the actions could include barring online advertising
networks and payment facilitators such as PayPal from doing business with the allegedly
infringing website, barring search engines from linking to such sites, and requiring Internet
service providers to block access to such sites. Many have argued that since ISP's would be
required to block access to certain websites that this is censorship. On 18 January 2012, the
English Wikipedia shut down for 24 hours beginning at 5:00 UTC (12:00 EST) to protest
SOPA and PIPA. In the wake of this and many other online protests, Rep. Lamar Smith has
stated, "The House Judiciary Committee will postpone consideration of the legislation until
there is wider agreement on a solution".[32]

Senator Ron Wyden, Democrat of Oregon and a key opponent of the bills, said lawmakers
had collected more than 14 million names — more than 10 million of them voters — who
contacted them to protest the once-obscure legislation.[32]

Protect Intellectual Property Act (PIPA)[edit]

The Protect Intellectual Property Act (Preventing Real Online Threats to Economic Creativity
and Theft of Intellectual Property Act, or PIPA) is a proposed law with the stated goal of
giving the US government and copyright holders additional tools to curb access to "rogue
websites dedicated to infringing or counterfeit goods", especially those registered outside the

96
U.S.[33] The bill was introduced on May 12, 2011, by Senator Patrick Leahy (D-VT)[34] and 11
bipartisan co-sponsors. PIPA is a re-write of the Combating Online Infringement and
Counterfeits Act (COICA),[35] which failed to pass in 2010. In the wake of online protests held
on January 18, 2012, Senate Majority Leader Harry Reid announced on Friday January 20
that a vote on the bill would be postponed until issues raised about the bill were resolved.
Reid urged Sen. Patrick Leahy (D-Vermont), the chief sponsor of PIPA, to “continue
engaging with all stakeholders to forge a balance between protecting Americans’ intellectual
property, and maintaining openness and innovation on the internet.”[32][36]

Cyber Intelligence Sharing and Protection Act (CISPA)[edit]

The Cyber Intelligence Sharing and Protection Act (CISPA) is a proposed lawintroduced in
November 2011, with the stated goal of giving the U.S. government additional options and
resources to ensure the security of networks against attacks.[37] It was passed by the U.S.
House of Representatives in April 2012, but was not passed by the U.S. Senate. In February
2013 the bill was reintroduced in the House.[38]

CISPA is supported by several trade groups containing more than eight hundred private
companies, including the Business Software Alliance, CTIA – The Wireless
Association, Information Technology Industry Council, Internet Security Alliance,National
Cable & Telecommunications Association, National Defense Industrial
Association, TechAmerica and United States Chamber of Commerce, in addition to individual
major telecommunications and information technology companies
like AT&T, Facebook, IBM, Intel, Oracle Corporation, Symantec, and Verizon.[39][40]

Reporters Without Borders expressed concern that in the name of the war on cyber crime, it
would allow the government and private companies to deploy draconian measures to
monitor, even censor, the Web.[41] Other organizations that oppose the bill include
the Constitution Project, American Civil Liberties Union, Electronic Frontier
Foundation, Center for Democracy and Technology, Fight for the Future, Free
Press, Sunlight Foundation, and TechFreedom. Google has not taken a public position on
the bill, but lobbied for it.[42]

USITC Site Blocking[edit]

In January 2015 details from the Sony Pictures Entertainment hack revealed the MPAA's
lobbying of the United States International Trade Commission to mandate US ISPs either at
the internet transit level or consumer level internet service provider, implement IP address
blocking pirate websites as well as linking websites.[43]

97
State laws[edit]
According to the National Conference of State Legislatures, in September 2013 twenty-six
states have laws that apply to Internet use at publicly funded schools or libraries:[44]

The majority of these states simply require school boards or public libraries to adopt Internet
use policies to prevent minors from gaining access to sexually explicit, obscene or harmful
materials. However, some states also require publicly funded institutions to install filtering
software on library terminals or school computers.

The twelve states that require Internet filtering in schools and/or libraries to protect minors
are: Arizona, Arkansas, Colorado, Idaho, Michigan, Minnesota, Missouri, Ohio,
Pennsylvania, South Dakota, Utah, and Virginia.[44]

The thirteen states that require schools and/or libraries to adopt policies to protect minors
include: California, Delaware, Georgia, Indiana, Iowa, Kentucky, Louisiana, Maryland,
Massachusetts, New Hampshire, New York, South Carolina, and Tennessee. Florida law
"encourages public libraries to adopt an Internet safety education program, including the
implementation of a computer-based educational program."[44]

And five states require Internet service providers to make a product or service available to
subscribers to control use of the Internet. They are: Louisiana, Maryland, Nevada, Texas,
and Utah.[44]

In July 2011 Missouri lawmakers passed the Amy Hestir Student Protection Act which
included a provision that barred K-12 teachers from using websites that allow "exclusive
access" in communications with current students or former students who are 18 or younger,
such as occurs with private messages on sites such as Facebook.[45] A circuit court order
issued before the law went into effect blocked the provision because "the breadth of the
prohibition is staggering" and the law "would have a chilling effect" on free-speech rights
guaranteed under the U.S. Constitution.[46] In September the legislature replaced the
controversial provision with a requirement that local school districts develop their own
policies on the use of electronic communication between employees and students.[47][48]

Censorship by institutions[edit]
See also: Corporate censorship

The constitutional and other legal protections that prohibit or limit government censorship of
the Internet do not generally apply to private corporations. Corporations may voluntarily

98
choose to limit the content they make available or allow others to make available on the
Internet.[4] Or corporations may be encouraged by government pressure or required by law
orcourt order to remove or limit Internet access to content that is judged to
be obscene (including child pornography), harmful to children, defamatory, pose a threat
to national security, promote illegal activities such as gambling, prostitution, theft
of intellectual property, hate speech, and inciting violence.[2][3]

Public and private institutions that provide Internet access for their employees, customers,
students, or members will sometimes limit this access in an attempt to ensure it is used only
for the purposes of the organization. This can includecontent-control software to limit access
to entertainment content in business and educational settings and limiting high-
bandwidth services in settings where bandwidth is at a premium. Some institutions also block
outside e-mail services as a precaution, usually initiated out of concerns for local network
security or concerns that e-mail might be used intentionally or unintentionally to allow trade
secrets or other confidential information to escape.

Schools and libraries[edit]

K-12 schools and libraries that accept funds from the federal E-rate program or Library
Services and Technology Actgrants for Internet access or internal connections are required
by Children's Internet Protection Act to have an "Internet safety policy and technology
protection measures in place".[22]

Many K-12 school districts in the United States use Internet filters to block material deemed
inappropriate for the school setting.[49][50] The federal government leaves decisions about
what to filter or block to local authorities. However, many question this approach, feeling that
such decisions should be made by a student's parents or guardian. Some of the fears
associated with Internet filtering in schools include: the risk of supporting a predominant
ideology, that views held by filter manufacturers are being imposed on students, over
blocking of useful information, and under blocking of harmful information.[51] A 2003 study
"found that blocking software overblocked state-mandated curriculum topics extensively–for
every web page correctly blocked as advertised, one or more was blocked incorrectly."[52]

Some libraries may also block access to certain web pages, including pornography,
advertising, chat, gaming, social networking, and online forum sites,[53] but there is a long and
important tradition among librarians against censorship[54]and the use of filtering and blocking
software in libraries remains very controversial.[55]

Telecommunications and Internet service companies[edit]

99
In 2007, Verizon attempted to block the abortion rights group NARAL Pro-Choice
America from using their text messaging services to speak to their supporters. Verizon
claims it was in order to enforce a policy that doesn’t allow their customers to use their
service to communicate “controversial” or “unsavory” messages.[56] Comcast, AT&T and
many other ISP's have also been accused of regulating internet traffic and bandwidth.

eNom, a private domain name registrar and Web hosting company operating in the U.S.,
disables domain names which appear on a U.S. Treasury Department blacklist.[23][24]

Military[edit]

The Department of Defense prohibits its personnel from accessing certain IP addresses from
DoD computers.[57] The US military's filtering policy is laid out in a report to Congress entitled
"Department of Defense Personnel Access to the Internet".[58]

The Monterey Herald reported on June 27, 2013 that the United States Army bars its
personnel from accessing parts of the The Guardian's website after whistleblower Edward
Snowden's revelations about the PRISM global surveillance program and the National
Security Agency (NSA) were published there.[59][60] The entire Guardian website is blocked for
personnel stationed throughout Afghanistan, the Middle East, and South Asia, as well as
personnel stationed at U.S. Central Command headquarters in Florida.[61]

WikiLeaks[edit]
Main article: WikiLeaks

In February 2008, the Bank Julius Baer vs. WikiLeaks lawsuit prompted the United States
District Court for the Northern District of California to issue a permanent injunction against
the website WikiLeaks' domain name registrar. The result was that WikiLeaks could not be
accessed through its web address. This elicited accusations of censorship and resulted in
theElectronic Frontier Foundation stepping up to defend WikiLeaks. After a later hearing, the
injunction was lifted.[62]

In December 2010, the White House Office of Management and Budget, the U.S. Library of
Congress, the U.S. Air Force, and other government agencies began advising their
personnel not to read classified documents available from WikiLeaks and some blocked
access to WikiLeaks and other news organizations' websites.[63][64] This action was intended
to reduce the exposure of personnel to classified information released by WikiLeaks and
published by those news organizations.

100
On December 1, 2010 Amazon.com cut off WikiLeaks 24 hours after being contacted by the
staff of Joe Lieberman, Chairman of the U.S. Senate Committee on Homeland Security.[65] In
a statement Lieberman said:[66]

[Amazon's] decision to cut off WikiLeaks now is the right decision and should set the
standard for other companies WikiLeaks is using to distribute its illegally seized material. I
call on any other company or organization that is hosting WikiLeaks to immediately terminate
its relationship with them.

Constitutional lawyers say that this is not a first amendment issue because Amazon, as a
private company, is free to make its own decisions. Kevin Bankston, a lawyer with
the Electronic Frontier Foundation, agreed that this is not a violation of the first amendment,
but said it was nevertheless disappointing. "This certainly implicates first amendment rights
to the extent that web hosts may, based on direct or informal pressure, limit the materials the
American public has a first amendment right to access".[67]

The New York Times reported on 14 December[68] that the U.S. Air Force bars its personnel
from access to news sites (such as those of The New York Times and The Guardian, Le
Monde, El País, and Der Spiegel) that publish leaked cables.

WikiLeaks faces a global financial blockade by major finance companies

including Moneybookers, Mastercard, Visa, andPayPal. In October 2011 Julian Assange said
the blockade had destroyed 95% of WikiLeaks' revenues and announced that it was
suspending publishing operations in order to focus on fighting the blockade and raising new
funds.[69]

Individual websites[edit]

Some websites that allow user-contributed content practice self-censorship by adopting

policies on how the web site may be used and by banning or requiring pre-approval of
editorial contributions from users that do not follow the policies for the site. For example,
social media websites may restrict hate speech to a larger degree than is required by US
law (see alsohate speech on Facebook), and may restrict harassment and verbal abuse.

Restriction of hate speech and harassment on social media is the subject of debate in the
US. For example, two perspectives include that online hate speech should be removed
because it causes serious intimidation and harm,[70] and that it shouldn't be removed because
it's "better to know that there are bigots among us" than to have an inaccurate picture of the
world.[71]

101
The National Religious Broadcasters, an organization that represents American Christian
television and radio broadcasters, and the American Center for Law and Justice, a
conservative Christian, pro-life group, conducted a study that concluded that some social
media sites are "actively censoring" religious content that expresses Christian perspectives,
because they forbid "hate speech" in the form of anti-homosexual viewpoints.[7

III) ONLINE INTERMEDIARIES IN THE

GOVERNANCE OF INTERNET

Online Intermediaries

The Network’s Online Intermediaries project is a policy-oriented research initiative aimed at

examining the rapidly changing landscape of online intermediary governance at the intersection

of law, technology, norms, and markets. In concert with other research projects, it seeks to

develop criteria, comparative methods, and a shared data repository, and to compile insights

and lessons learned across diverse communities of knowledge aimed at informing and improving

Internet policy-making globally.

The first research output as part of the larger initiative consists of a case study series exploring

online intermediary liability frameworks and issues in Brazil, the European Union, India, South

Korea, the United States, Thailand, Turkey, and Vietnam, and a synthesis paper that seeks to

distill key observations and provide a high-level analysis of some of the structural elements that

characterize varying governance frameworks, with a focus on intermediary liability regimes and

their evolution. This research builds upon a series of in-person working meetings, including a

workshop hosted by the Radcliffe Institute for Advanced Study at Harvard University, where

the draft country reports and key elements of the synthesis were discussed. Throughout the

process, learning calls supported the sharing of research and methods among the collaborators.

102
Governance of Online Intermediaries: New
Study by NoC
The Global Network of Internet and Society Research Centers (NoC) and the Berkman
Center for Internet & Society at Harvard University have published a new report which
examines the rapidly changing landscape of online intermediary liability at the
intersection of law, technology, norms, and markets, and is aimed at informing and
improving Internet policy-making globally.

The report is a first output of a larger initiative on the governance of online

intermediaries. It consists of acase study series exploring online intermediary liability
frameworks and issues in Brazil, the European Union, India, South Korea, the United
States, Thailand, Turkey, and Vietnam, and a synthesis paper that seeks to distill key
observations and provide a high-level analysis of some of the structural elements that
characterise varying governance frameworks, with a focus on intermediary liability
regimes and their evolution. In particular the synthesis highlights the importance of
cultural and political context, as reflected in both the legal norms aimed at regulating
intermediaries and the perception of intermediaries' social function within the countries
studied.

The research effort is grounded in a diversity of global perspectives and collaborative

research techniques, committed to objective and independent academic standards, and
aspires to be useful, actionable, and timely for policymakers and stakeholders. More
broadly, the Network of Centers seeks to contribute to a more generalized vision and
longer-term strategy regarding the role of academic research, facilitation and convening,
and education and communication in the Internet age. For additional information on the
initiative, contact Urs Gasser, Berkman Center for Internet & Society, at
ugasser@cyber.law.harvard.edu

The full text of the case studies and the synthesis paper are available on the Publixphere
website, where the authors welcome comments and feedback. The series and individual
papers are also available for download from SSRN.

103
Governance of Online Intermediaries: New
Study by NoC
The Global Network of Internet and Society Research Centers (NoC) and the Berkman
Center for Internet & Society at Harvard University have published a new report which
examines the rapidly changing landscape of online intermediary liability at the
intersection of law, technology, norms, and markets, and is aimed at informing and
improving Internet policy-making globally.

The report is a first output of a larger initiative on the governance of online

intermediaries. It consists of acase study series exploring online intermediary liability
frameworks and issues in Brazil, the European Union, India, South Korea, the United
States, Thailand, Turkey, and Vietnam, and a synthesis paper that seeks to distill key
observations and provide a high-level analysis of some of the structural elements that
characterise varying governance frameworks, with a focus on intermediary liability
regimes and their evolution. In particular the synthesis highlights the importance of
cultural and political context, as reflected in both the legal norms aimed at regulating
intermediaries and the perception of intermediaries' social function within the countries
studied.

The research effort is grounded in a diversity of global perspectives and collaborative

research techniques, committed to objective and independent academic standards, and
aspires to be useful, actionable, and timely for policymakers and stakeholders. More
broadly, the Network of Centers seeks to contribute to a more generalized vision and
longer-term strategy regarding the role of academic research, facilitation and convening,
and education and communication in the Internet age. For additional information on the
initiative, contact Urs Gasser, Berkman Center for Internet & Society, at
ugasser@cyber.law.harvard.edu

The full text of the case studies and the synthesis paper are available on the Publixphere
website, where the authors welcome comments and feedback. The series and individual
papers are also available for download from SSRN.

104
 IV) SOCIAL NETWORKING SITES VIS –
A- VIS HUMAN RIGHTS

The Social Network for Justice and Human Rights

The Social Network for Justice and Human Rights (Rede Social de Justiça e Defesa dos
Direitos Humanos or, Rede Social) is a human rights organization that supports the work of
social movements in Brazil through legal assistance, trainings, reporting and media
campaigns on abuses of human rights.

Rede exposes the inhuman and illegal conditions faced by many workers in Brazil’s lucrative
sugar cane and ethanol industry (including documenting cases of slavery and of laborers
being literally worked to death) and have been courageous advocates for the rights of
activists who are being persecuted for challenging these unjust living and working conditions.

Rede Social provides training and legal assistance to members of social movements and
promotes communication and networking activities at the national and international level.
Rede Social works with a variety of civil society organizations, including the Landless
Workers Movement (MST), Pastoral Land Commission, Movement of People Displace by
Dams, The Movement of Quilombolas (rural communities of African descendants) and the
Organization of Popular Movements to combat against human rights violations such as
asassinations, pre-emptive arrests, wrongful incarcerations, and death threats and other
forms of intimidation toward leaders and members of social movements.

Rede prepares and submits human rights cases and petitions nationally and internationally;
trains community members as human rights monitors and researchers; conducts popular
research; and produces educational materials, books, and reports; and coordinates the

105
organizations within the network. Rede Social also produces an Annual Report of the Human
Rights in Brazil, with the goal of pressing, informing the public, fighting against impunity in
the rural areas.

Rede’s publications and studies contribute to the coordination and advocacy agendas of
social movements and other Grassroots’ partners like the MST and the Association of Rural
Workers (ATC) in Nicaragua.

EFF!is!an!international!civil!society!nonDgovernmental!organization!with!more!than!
14,000! members! worldwide,! dedicated! to! the! protection! of! citizens’! online! civil!
rights,!privacy,!and!freedom!of!expression.!EFF!engages!in!strategic!litigation!in!the!
United! States! and!works!in! a! range! of!international! and! national! policy! venues!
to! promote!balanced!laws! that!protect!human!rights,! foster!innovation!and!empower!
consumers.! EFF! is! located! in! San! Francisco,! California! and! has! members! in! 67!
countries!throughout!the!world. EFF!commends! the!Council! of!Europe! for!working!
to!protect!and!promote! respect!
for!human!rights!with!regards!to!social!networking!services.!We!agree!with!many!of!
the! basic! findings! of! the! recommendations! and! guidelines which! note! that! social!
networking! services! are! key! tools! for! “receiving! and! imparting! information.”!
We! concur! with! the! statements! that! individuals! “have! to! be! sure! that! their!
rights! to! private! life! will! be! protected! when! they! use! social! networking!
services! and! that! their!personal!data!will!not!be!misused,”!and!
that!social!network!providers!should! respect! “the! right! to! freedom! of! expression,!
the! right! to! privacy! and! secrecy! of!
correspondence.”!We!also!recognize!that!governments!might!take!narrowly!tailored! 2
exceptional!actions!based!on!the!limitations!to!freedom!of!expression!established!in!
international! law,! in! particular! Article! 19! of! the! United! Nations! International!
Covenant!on!Civil!and!Political!Rights and!Article!10!of!the!European!Convention!on!
Human!Rights.! While! we! commend! the! Council! of! Europe! for! working! to!
protect! and! promote! respect!

106
for!human!rights!by!social!networks!providers,!we!wish!to!express!caution!
on!some!of!the!provisions!as!currently!drafted!and!to!respectfully!provide!additional!
suggestions!that!can!be!included.

DRAFT!RECOMMENDATION!ON!MEASURES!TO!PROTECT!AND!PROMOTE!R
ESPECT!FOR!HUMAN!RIGHTS!WITH!REGARD!TO!SOCIAL!NETWORKING

SERVICES

We!commend!the Council!of!Europe!for: Recognizing! that! social! networking!

services! “are! a! tool! for! expression! but!
also!for!communication!between!individuals.” Recognizing! that! social! networking!
services! “offer! great! possibilities! for!
enhancing!the!individual’s!right!to!participate!in!political,!social!and!cultural! life.”
Recognizing!“The!right!to!freedom!of!expression!and!information,!as!well!as! the!
right! to! privacy! and! human! dignity,! may! also! be! challenged! on! social!
networking!services.” Supporting! the! Committee! of! Ministers’! recommendation! to!
the! Member! States! to! “develop!and!promote!coherent!strategies!
to!protect!and!promote! human!rights.”
In!particular,!“ensuring!users!are!aware!of!possible!challenges! to! their! human! rights!
on! social! networking! services,”! to! encourage! “transparency!about!
the!kinds!of!personal!data! that!are!being!collected!and!
the!legitimate!purposes!for!which!they!are!being!processed,!including!further!
processing!by!third!parties.” EFF!has!proposed!a
“Bill!of!Privacy!Rights!for!Social!Network!Users,”!which!stresses! that! individuals!
have! the! right! “[t]o! see! readily! who! is! entitled! to! access! any! particular! piece!
of! information! about! themselves,”! (…)! including! “government!
officials,!websites,!applications,!advertisers!and!advertising!networks!and!services.”!!
Moreover,! “[w]henever! possible,!a! social! network! service! should!give! users!
notice! when! the!government! or!a! private! party! uses!legal! or!administrative!
processes! to! seek! information! about! them,! so! that! users! have! a! meaningful!
opportunity! to! respond.”1 Therefore,! we! respectfully! suggest! that! the! Committee!
of! Ministers! recommend! member!states!to!take!the!following!actions: 1 Kurt Opsahl,

107
A Bill of Privacy Rights for Social Network Users, Electronic Frontier Foundation, 2010,
available at . 3 Adopt! strong! legal! safeguards! and! due! process! before! disclosure!
of! individuals’! data! to! governmental! entities.! Government! access! should be!
done! only! upon! receipt! of! a! court! order,! in! accordance! with! international!
legal!norms!and!instruments!relevant!to!the!protection!of!private!life. Allow and
encourage social! networks! to! notify! the! person whose! social! networking! records!
are! sought whenever! possible.! Social! networks! should! agree! to! a!timetable! for!
disclosure! to! the! party! requesting! data!in! order! to!
provide!a!reasonable!opportunity!for!the!individual!to!file!an!objection!with!a!
court!before!disclosure.! Foster! transparency! on! the! disclosure of! citizens'! data!
pursuant! to! a! governmental! or! private! party! request.! The! guidelines! should!
encourage! social! networks! to! publicly! disclose! an! accounting! of! the! nature! and!
frequency!of!governmental!and!private!party!requests!for!access!to!citizens’ data. 2
Foster! transparency! on! requests for! content! removal! or! the! censorship! of!
content.! The! guidelines! should! encourage! social! networking! services! to!
publicly!disclose!the!nature!and frequency!of content!removal!or!requests!to!
censor!content,!including!the!justification (e.g., court!order,!violation!of!terms!
of!service!or!other!category,!if!applicable). Foster! transparency! on! social!
networking! services’! guidelines! for! law!
enforcement!seeking!to!request!information!about!users. Any government request to get
access to users' personal data should include a provision to remunerate a social
networking service. This obligation will not only compensate the company for the
additional work required to fulfill the request, but will also incentivize governments
towards mitigating on the possibility of unlimited requests.

GUIDELINES!FOR!SOCIAL!NETWORKS!PROVIDERS 1.
Transparency!as!regards!freedom!of!expression!and!access!to!information While! we!
agree! that! the! “core! conditions”! should! be! written! in! “a! form! and! language”!
that!is! “appropriate! to!and!easily!understandable!by,! the!group!of!social!
networks!sites,”!we!also!believe!that!those!terms!of!services!should!be!accessible!in!

108
the!users’!native!language!since!those!terms!of!services!condition!individuals!to!the!
policies’! contents! upon! his! or! her! consent. For! example,! Facebook’s! site! has!
been!
translated!in!more!than!80!languages!while!the!Terms!of!Services!is!available!only!in!
less!than!10 languages.! 2.
Appropriate+protection+of+children+against+harmful+content+and+behavior
2.1+Age9verification+creates+more+privacy+risks+rather+than+protect+privacy 2 See
Google!Transparency!Report,!. 4 EFF!agrees!that!ageDverification
access!raises!numerous!human!rights!concerns.3!!In! particular,! the! guidelines!
correctly! emphasize! that, “there!is! not! a! single! technical!
solution!with!regard!to!online!age!verification!that!does!not!infringe!on!other!human!
rights! and/or! does! not! facilitate! age! falsification,! thus! causing! greater! risks! than!
benefits!to!the!minors!involved.”! AgeDverification! access! intended! to! protect!
privacy! would,! ironically,! create! more!
privacy!risks.!There!are!already!several!challenges!to!protecting privacy!against!the!
largely! invisible,! poorly! understood,! and! continually! escalating! surveillance! of!
adult’s online! activities,! let! alone! those! of! children.4 A! study! has! identified! the
unintentional!and indirect!leakage!of!personal!data!via!social!networking!services!to!
thirdDparty!aggregation!servers.!The!study!also!noted!that this!leakage!is!also!being!
shared! with external! online! social! networking! applications,! which! not! only! have!
access! to! a! user’s! profile! information,! but also! leak! a! user’s! social! networking!
identifier!to!other!third!parties.5
Moreover,!age!verification!processes!curtail!children’s!freedom!of!expression!rights,!
including!older!children’s!right!to!read!anonymously.!Older!children!may!have!ideas!
that! they! want! to! learn! that! they! might! not! tell! their! parents! about,! and!
leaking! more!personal!information,!such!as!age,!will!only!increase!privacy!risks
for!them. 6 3. Ensuring!users’!control!over!their!data 3.1 Informed!consent To!
complement! point! 5! on! the! right! of! users! to! control! their! data,! EFF! “Bill! of!
Privacy!Rights!for!Social!Network!Users”!says:
“Social!network!services!must!ask!their!users'!permission!before!making!any!change!
that! could! share! new! data! about! users,! share! users'! data! with! new! categories! of!

109
people,!or!use!that!data!in!a!new!way.!Changes!like!this!should!be!"optDin"!by!default,
! 3 See
Ctr.!for!Democracy!&!Tech,!Electronic!Frontier!Foundation,!The!Progress!&!Freedom!
Found.,!Comment!on!the!Federal!Trade!Commission’s!Implementation!of!the!Children’
s! Online!Privacy!Protection!Rule!(June!30),!. 4 See
Seth!Schoen,!New!Cookie!Technologies:!Harder!to!See!and!Remove,!Widely!Used!to!
Track!You,!Electronic!Frontier!Foundation,!September!14,!2009,!
.!Peter!Eckersley,!How!Online!Tracking!Companies!Know!Most!of!What!You!
Do!Online!(and!What!Social!Networks!Are!Doing!to!Help!Them),!Electronic!Frontier!
Foundation,!September!21,!2009.!https://www.eff.org/deeplinks/2009/09/onlineD
trackersDandDsocialDnetworks. 5 See
Balachander!Krishnamurthy,!Craig!E.!Wills,!On!the!Leakage!of!Personally!Identifiable!
Information!Via!Online!Social!Networks,!available!at! . 6 See
Rebecca!Jeschke,!Don't!Turn!COPPA!Into!AgeDVerification!Mandate,!Electronic!Front
ier! Foundation,!July!2,!2010,!available!at!. 5 not! "optDout,"! meaning! that! users'!
data! is! not! shared! unless! a! user! makes! an! informed! decision! to! share! it.! If! a!
social! network! service! is! adding! some!
functionality!that!its!users!really!want,!then!it!should!not!have!to!resort!to!unclear!
or!misleading!interfaces!to!get!people!to!use!it.”7 3.2 Clear!user!interface We! also!
ask! the! Council! of! Europe! to! encourage! social! networks! providers! to! provide!a!
clear! user!interface! that!allows! users! to!effectively!exercise! their! rights.! Users!
should! have! “the! right! to! a! clear! user! interface! that! allows! them! to! make!
informed! choices! about! who! sees! their! data! and! how! it! is! used.”8!!
Professor!Greg! Conti!has!pointed!out! that!a!good!interface!is!designed!
to!help!users!achieve! their!
goals!without!impediments.!However,!an!“evil”!interface!is!conceived!to!deceit!users!
into!doing! things! they!do!not!want! to.9 There!are!many!examples! of! obscure!user!
interfaces,! such! as! Facebook’s! instant! personalization! changes! and! GoogleBuzz!
which! forced! Gmail! users! to! share! their! email! contacts! and! threatened! to! move!
private! GMail! recipients!into! a! public! "frequent! contacts"!list,! or!
Facebook!instant! personalization!changes,!are!a!few!examples.10 3.3

110
Transparency!on!social!networking!records!requests
To!address!concerns!of!privacy!violations,!lack!of!transparency!and!public!oversight!
mechanisms on!social!networking!data!requests,!we!respectfully!want!to!repeat!our
above!recommendation: Adopt! strong! legal! safeguards! and! due! process! before!
disclosure! of! individuals’! data! to! governmental! entities.! Government! access!
should! be! done! only! upon! receipt! of! a! court! order,! in! accordance! with!
international! legal!norms!and!instruments!relevant!to!the!protection!of!private!life.
Allow! and! encourage! social! networks! to! notify! the! person! whose! social!
networking! records! are! sought whenever! possible.! Social! networks! should! agree!
to! a!timetable! for! disclosure! to! the! party! requesting! data!in! order! to!
provide!a!reasonable!opportunity!for!the!individual!to!file!an objection!with!a!
court!before!disclosure.! 7 Supra note!1 8 Supra note!1. 9 Professor! Greg! Conti,! Evil!
Interfaces,! Hackers! On! Planet! Earth! conference,! 2008,! .! ! See' also,! Tim! Jones,!
Facebook's! "Evil! Interfaces,"! Electronic! Frontier! Foundation,! April! 29,! 2010,!
available!at!.! 10 FTC! Charges!Deceptive! Privacy! Practices!in!Google's!Rollout! of!
Its!Buzz!Social!Network,! March! 30,! 2011,! Federal! Trade! Commission,! available!
at! .! Kurt! Opsahl,! How! to! Opt! Out! of! Facebook’s! Instant! Personalization,!
Electronic! Frontier! Foundation,! April! 22,! 2010,! available! at! . 6 Foster!
transparency! on! the! disclosure! of! citizens'! data! pursuant! to! a! governmental! or!
private! party! request.! The! guidelines! should! encourage! social! networks! to!
publicly! disclose! an! accounting! of! the! nature! and!
frequency!of!governmental!and!private!party!requests!for!access!to!citizens’! data.!!
Foster! transparency! on! requests! for! content! removal! or! the! censorship! of!
content.! The! guidelines! should! encourage! social! networking! services! to!
publicly!disclose!the!nature!and!frequency!of!content!removal!or!requests!to!
censor!content,!including!the!justification!(e.g.,!court!order,!violation!of!terms!
of!service!or!other!category,!if!applicable). Foster! transparency! on! social!
networking! services’! guidelines! for! law!
enforcement!seeking!to!request!information!about!users.
Any!government!request!to!get!access!to!users'!personal!data!should!include!
a!provision to! remunerate!a! social!networking! service.!!This! obligation!will!

111
not!only!compensate!the!company!for!the!additional!work!required!to!fulfill!
the!request,!but!will!also!incentivize!governments!towards!mitigating!on!the!
possibility!of!unlimited!requests. 3.4
Enable!by!default!siteVwide!SSL!and!security!breach!notification
The!guidelines!correctly!point!out!the!importance!for!social!networking!providers!to!
“apply! state! of! the! art! security! measures.”!We! respectfully! request! the! Council!
of! Europe! to! recommend! member! states! to! encourage! social! network! providers!
to! enable! siteDwide!SSL! by! default! to! protect! users’!information!and!
communications! from!eavesdropping.!! In! addition! to! enabling! default! siteDwide!
SSL,! social! networking! services should! inform! users! and! national! data! protection!
authorities! about! any! security! breach! affecting!their!users. Security! breach!
notification! can! be! an!important! tool! for! helping to ensure! online! security.! For!
example,! during! the! Tunisian! revolution,! the! Tunisian! government!
launched!an!attack!on!activists!that!stole!the!usernames!and!passwords!of!Tunisians!
logging!in!to!Google,!Yahoo,!and!Facebook.11 The!Tunisian!government!then!logged!
in!to!Tunisians’!email!and!Facebook!accounts.!During this!period!of!time,!EFF!urged!
Facebook,!Google,!and!Yahoo!to!take!concrete!steps!as!quickly!as!possible!to!inform!
and!better!protect!their!users!against!the!breach. 3.5The+privacy+policies+dilemma+
The!problems!with!privacy!policies!are!serious.!In!many!cases,!the!privacy!policies!
of!social!networking!services!lack!a!definition!of!critical!terms!or!broadly!state!the!
purposes!of!data!collection!(e.g.,!“to!provide!you!with!a!better!experience”)!to!allow!
11
Eva!Galperin,!EFF!Calls!for!Immediate!Action!to!Defend!Tunisian!Activists!Against!
Government!Cyberattacks,!Electronic!Frontier!Foundation,!January!11,!2011,!available!
at! 7 limitless! uses! of! personal! data.12 Therefore,! EFF! believes! that! vague!
justifications!
such!as!providing!!“a!better!user!experience”!tell!individuals!nothing!useful!for!them!
to!make!an!informed!decision!about!the!use!of!their!personal!data.
We!agree!with!guidelines! that!call! for! “ensuring! transparent!information for!users!
about! the! management! of! their! personal! data! in! a! form! and! language! that! is!
appropriate! for! the! target! groups! of! the! social! networking! services.”! We! want!

112
to! repeat! our! concerns,! however, about! the! need! to! provide! privacy! policies! in!
the! user’s!native!language. 3.6Deletion+of+profiles+ We! want! to! commend! the!
Council! of! Europe! for! requesting! that! social! network
services!“make!sure!that!users!are!able!to!completely!delete!their!profile!and!all!data!
stored!about!and!from!them!in!a!social!networking!service.” As!we!have!said!in!our!
“Bill!of!Privacy!Rights!for!Social!Networking!Users,”!a!user!should!have!the!right!to!
delete! data! or! her! entire! account! from! a! social! network! service. It! should! be!
permanently!eliminated! from! the!service's!servers. Social!network!services!should!
not!disable access to data while continuing to store or use user’s data. The data should be
permanently eliminated from!the!service’s servers. Furthermore, if users decide to leave
a social network service, they should be able to easily, efficiently and freely take their
uploaded information away from that service and move it to a different one in a usable
format. This concept is fundamental to promote competition and ensure that users truly
maintain control over their information, even if they sever their relationship with a
particular service.13 3.7Data+Minimization A! social! networking! service should!limit!
the! collection! of! personal! data,!including! transactional!data and!location!data to!
the!minimum!amount!necessary! to!provide! services.!They! should!
store!personal!information! for! the!minimum! time!necessary! for! the!purpose!of!
their!operations. A!social!networking!service should!effectively! obfuscate,! aggregate!
and! delete! unneeded! or! unused! user! personal! information
about!users.!They!should!also!maintain!written!policies!addressing! those!personal!
data! collection! and! retention!minimization! policies.! Policies! should! clearly!
specify! the! kind! of! data! collected,! the!period! of! retention,!and!avoid! the! use!
of!general! or! vague!terms!that!promote!the!limitless!use!of!data.14 Law! must!
provide! any! restriction! on! the! right! to! privacy.! For! a restriction! to! be!
permissible,!the!restrictive!measure must!be!necessary!in!a!democratic!society.!It!is!
not!enough! that! the! restriction serves! one! of! the enumerated!legitimate!aims;! the!
12 See
CDTDEFF,!Proposed!Smart!Grid!Privacy!Policies!and!Procedures!5D9!(California!Pub
lic!
Utility!Commission!Rulemaking!08D12D009)!(Oct.!15,!2010)!(Attached!as!“Exhibit!1!

113
of!1”). 13 Supra note!1. 14
Electronic!Frontier!Foundation,!Best!Practices!for!Online!Service!Providers,!June!28,!2
011,! available!at!. 8 restriction!must!be!necessary!
for!reaching!the!legitimate!aim.!The!restriction!must!
comply!with!the!principle!of!proportionality;!the!restriction!must!be!appropriate!to!
achieve! its protective! function;! it! must! be! the! least! intrusive! instrument! amongst!
those! that might! achieve! the! desired! result;! and! the! restriction must! be!
proportionate!to!the!interest!that!is!to!be!protected.15 Therefore,! legal! frameworks!
that! compel! social! networking! services! to! retain!
personal!data,!including!transactional!data!and!subscription!information, may!be!in!
violation! of! Article! 17! of! the! United! Nations! International! Covenant! on! Civil!
and! Political!Rights!and!the!European!Convention!on!Human!Rights.16
3.8Freedom+of+Expression:+Anonymity+and+Pseudonymity We!also commend!
the!Council! of!Europe! for!asking!a! social!networking! service to! “consider!allowing!
the!possibility! of!pseudonymous!profiles.”! In!particular,!we!are! pleased! to! read! the!
“Declaration! on! freedom! of! communication! on! the! Internet”! which!
supports!anonymity!and!pseudonymity.17 In! the!Declaration,! the!Committee!
of!Ministers! stress! that;! “In! order! to! ensure! protection! against! online!
surveillance!
and!to!enhance!the!free!expression!of!information!and!ideas,!member!states!should!
respect!the!will!of!users!of!the!Internet!not!to!disclose!their!identity.”
Throughout!history,!individuals!have!been!writing!in!anonymous!or!pseudonymous!
ways.! Anonymous! and! pseudonymous! expression! allows! individuals! to! express!
unpopular! opinions,! honest! observations,! and! otherwise! unheard! complaints.!
Individuals! may! decide! to! communicate! anonymously! or! pseudonymously! out! of!
15 Martin! Scheinin,! “Report! of! the! Special! Rapporteur! on! the! promotion! and!
protection! of! human! rights! and! fundamental! freedoms! while! countering!
terrorism,”! p11,! available! at! .!See!also!General! Comments!No.! 27,!Adopted!
by!The!Human!Rights! Committee!Under! Article! 40,! Paragraph! 4,! Of! The!
International! Covenant On! Civil! And! Political! Rights,! CCPR/C/21/Rev.1/Add.9,!
November! 2,! 1999,! available! at! . 16

114
Digital!Civil!Rights!in!Europe,!French!Decree!Establishes!What!Data!Must!Be!Retaine
d By! Hosting! Providers,! EDRiDgram! D Number! 9.5,! March! 2011,! available! at! .!
See' also [Norwegian]! Protests! greet! new! data! storage! law,! ! April! 5,! 2011,!
available! at! .! See'
also,!European!Comission!Home!Affairs,!Taking!on!the!Data!Retention!Directive,!avail
able!at! .! See Report! of! The! Data! Retention! Conference,! ‘Towards! The!
Evaluation! Of! The! Data! Retention! Directive’,! Brussels,! 14! May! 2009, available at
. 17 Declaration!on!freedom!of!communication!on!the!Internet,!available!at . 9
concern!about!political!or!economic!retribution,!harassment,!or!even!threats!to!their!
lives.! Unfortunately,! Facebook’s! Terms! of! Service! requires! Facebook! users! to!
provide! their! real! names!and!information.18 This! practice! creates! serious! risks!
particularly! for! dissidents! and! human! rights! workers! in! developing! democracies!
who! are! compelled! to! use! their! real! names! on! Facebook,! especially! those!
countries! with! weaker! democracies,! and! authoritarian! regimes.19 Facebook’s! real!
name! policy! creates! a! double! negative! effect:! if! Facebook’s! Terms! of! Service!
are! violated! for!
using!a!pseudonym,!Facebook!can!disable!an!individual’s!account,!shutting!down!a!
key!avenue! for!political!discourse.20 For!example,!the!administrator of!the!“We!Are!
All!Khaled!Said,”!Facebook!page!used!a!pseudonym.!The!page!encouraged its!fans!to!
document! the! Egyptian! elections.! However,! the! administrator’s! Facebook! account!
was!deactivated!just!prior!to!the!elections;!the!takedown!of!his!account!resulted!in! the!
temporary! takedown! of! the!Facebook!page. 21 The!Michael!Anti!case!is!another!
example.! Michael Anti is the pseudonym of a former journalist, who has used this
nickname for more than 10 years. Facebook deactivated his account and cut him off from
a network of more than 1,000 contacts who know him as Anti.22 3.9Government+ Uses+
of+ Social+ Networking+ Services+ for+ Investigations+ and+ Beyond Several! news!
reports! have! made! it! clear! that! governments! use! social! networking! services! as!
a! tool! for! investigation.23 The! lack of! transparency! about! how! the! 18
Facebook,!Statement!of!Rights!and!Responsibilities,!available!at! . 19
Jillian!C.!York,!Policing!Content!in!the!QuasiDPublic!Sphere,!Open!Net!Initiative,!pag
e!10,! .

115
20Eva!Galperin,!EFF!Calls!for!Immediate!Action!to!Defend!Tunisian!Activists!Against
! Government!Cyberattacks,!EFF,!January!2011,!available!at! . 21
Mike!Giglio,!Middle!East!Uprising:!Facebook's!Secret!Role!in!Egypt,!The!Daily!Beast,
! February!24,!. 22 Tiny!Tran,!Activist!Michael!Anti!Furious!He!Lost
Facebook!AccountDDWhile!Zuckerberg's!
Dog!Has!Own!Page,!Huffington!Post,!August!3,!2011,!available!at! . 23 See
Laura!Saunders,!Is!'Friending'!in!Your!Future?!Better!Pay!Your!Taxes!First,!The!Wall!
Street!Journal,!Lacrosse!Tribune,!August!27,!2009,!available!at! .!See'also
KJ!Lang,!Facebook! friend!turns!into!Big!Brother,!November!19,!2009,!available!at .
10 personal!data is!collected
used,!for!how!long!it!is!kept,!and!who!has!access!to!it!make!
the!problem!even!worse.24 EFF,! with! help! from!the! Samuelson! Clinic at! the!
University! of! California! Berkeley!
Law!School,!made!a!series!of!US!Freedom!of!Information!Act!(FOIA)!requests!asking!
various! US!law! enforcement! agencies! to! disclose! documents! detailing! their! use!
of! social! networking! sites!in! their!investigations.25 The! documents! disclosed!
through! this! project! revealed,! among! other! things,! Citizenship! and! Immigration’s!
surveillance!of!social!networks!to!investigate!citizenship!petitions!and!the!DHS’s!use!
of! a! “Social! Networking! Monitoring! Center”! to! collect! and! analyze! online!
public! communication! during! President! Obama’s! inauguration.! The! center!
monitored! social!networking!sites!for!“items!of!interest.”26 In!addition,!we! have!
found!guidelines! revealing! how! several!US! social! networking
services!handle!requests! for!user!information!such!as!contact!information,!photos,!
IP!logs,!friend!networks,!buying!history,!and!private!messages.27 The!guides!we!have!
received! through! EFF! FOIA! requests! show! that! social! networking! sites! have!
struggled! to! develop! consistent,! straightforward! policies! to!govern! how!and!when!
they!will!provide!private!user!information!to!law!enforcement!agencies.!The!guides!
also!show!how! those!policies!have!evolved!over! time.28 We!should!emphasize! that!
many!of!those!guidelines!are!not!made!available!to!the!public by!social!networking!
services.! It! is! worth! pointing! out that! only! Craigslist’s! and! Twitter’s! guides! are!
posted!on!their!websites. In!addition!to!using!this!information

116
on!social!networking!sites for!law!enforcement!
investigations,!the!US!government!has!been!considering!using!it!for!all!background!
checks!in!security!clearances.29 With!just!a!name,!address,!date!of!birth,!and!social!
security! number,! governmentDhired! Internet! investigators! were! able! to! find!
“noteworthy”! search! results! for! as! many! as! 53%! of! the! 349! study! participants.!
“Noteworthy”! information! included! the! proclivity! to! put! personal! information! 24
See'also,'Electronic!Frontier!Foundation,!Lawsuit!Demands!Answers!About!SocialD
Networking!Surveillance,!December!1,!2009,!available!at! . 25
Electronic!Frontier!Foundation,!FOIA:!Social!Networking!Monitoring!Site,!available!at
! 26
Electronic!Frontier!Foundation,!Lawsuit!Demands!Answers!About!SocialDNetworking!
Surveillance,!December!1,!2009,!. 27
Jennifer!Lynch,!Social!Media!and!Law!Enforcement:!Who!Gets!What!Data!and!When?
,! Electronic!Frontier!Foundation,!January!20,!2011,!available!at . 28 See
EFF!comprehensive!spreadsheet!that!compares!how!social!networking!services!
handle!requests!for!user!information!such!as!contact!information,!photos,!IP!logs,!frien
d! networks,!buying!history,!and!private!messages,!available!at! . 29
Electronic!Frontier!Foundation,!FOIA:!Office!of!the!Director!of!National!Intelligence,!
available!at!. 11 online,! but! also! included! soDcalled! “questionable”! material! such!
as! disclosure! of! “underage! drinking,! profanity,! and! extreme! religious! and/or!
political! views! on! public! forums.” Social! networking! sites! like! MySpace! were!
also! included! in! the! background!investigations.30 These! techniques! raise! questions!
about! the! limits! and! appropriate! accountability! concerning the!ways!in!which!
government! agencies! and!law! enforcement! officials!
collect!and!analyze!information!about!individuals!online. 4. Conclusion EFF!
respectfully! asks! the! Council! of! Europe! to! revise! its! guidelines! and!
recommendation to!ensure!that!social!networking!services!will!protect!privacy!visD
àDvis! the! government,! foster! transparency! on! the! disclosure! of! citizens'! data!
pursuant! to! a! governmental! or! private! party! request,! foster! transparency! on!
requests! for! content! removal! or! the! censorship! of! content,!foster! transparency! on!
social! networking! services’! guidelines! for! law! enforcement! seeking! to! request!

117
information!about!users.!EFF!also!asks!the!Council!of!Europe!to!ensure!that!freedom!
of!expression!rights,!including!the!readers’!rights!to!use!social!networking!services!
anonymously! be! respected,! and! not! curtailed,! by social! networking! services. The!
Council! of! Europe! should! also! ensure appropriate! accountability! concerning the!
ways! in! which! government! agencies! and! law! enforcement! officials! collect! and!
analyze!information!about!individuals!online. Finally,!any government request to get
access to users' personal data should include a provision to remunerate a social
networking service. This provision will incentivize governments towards mitigating on
the possibility of unlimited requests.
EFF!would!be!pleased!to!answer!any!questions!on!these!matters.!
Thank!you!for!your!consideration. Katitza+Rodriguez Pereda
International!Rights!Director Electronic!Frontier!Foundation katitza@eff.org
|!https://www.eff.org 30
Jennifer!Lynch,!Government!Finds!Uses!for!Social!Networking!Sites!Beyond!Investigat
ions,! Electronic!Frontier!Foundation,! .

118