Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
(LL.M 1213)
Module I
I) CONCEPTUAL AND THEEORITICAL PERSPECTIVE OF CYBER
LAW
Introduction to Indian Cyber Law This document is an extract from the book IPR
& Cyberspace – Indian Perspective authored by Rohas Nagpal. This book is
available as courseware for the Diploma in Cyber Law and PG Program in Cyber
Law conducted by Asian School of Cyber Laws www.asianlaws.org
Fundamentals of Cyber Law © 2008 Rohas Nagpal. All rights reserved. - 3 - 1.
Jurisprudence of Cyber Law Jurisprudence studies the concepts of law and the
effect of social norms and regulations on the development of law. Jurisprudence
refers to two different things. 1. The philosophy of law, or legal theory 2. Case
Law Legal theory does not study the characteristics of law in a particular country
(e.g. India or Canada) but studies law in general i.e. those attributes common to
all legal systems. Legal theory studies questions such as: 1. What is law and
legal system? 2. What is the relationship between law and power? 3. What is the
relationship between law and justice or morality? 4. Does every society have a
legal system? 5. How should we understand concepts like legal rights and legal
obligations or duties? 6. What is the proper function of law? 7. What sort of acts
should be subject to punishment, and what sort of punishments should be
permitted? 8. What is justice? 9. What rights do we have? 10. Is there a duty to
1
obey the law? 11. What value does the rule of law have? Case law is the law that
is established through the decisions of the courts and other officials. Case law
assumes even greater significance when the wordings of a particular law are
ambiguous. The interpretation of the Courts helps clarify the real objectives and
meaning of such laws. This chapter first discusses the meaning of cyber law and
the need for the separate discipline of cyber law. This chapter covers the
following topics: 1. What Is Cyber Law? 2. Need for Cyber Law 3. Jurisprudence
of Indian Cyber Law 4. Evolution of Key Terms and Concepts 5. Evolution of
Cyber Crime Fundamentals of Cyber Law - 4 - © 2008 Rohas Nagpal. All rights
reserved. 1.1 What is Cyber Law? Cyber Law is the law governing cyber space.
Cyber space is a very wide term and includes computers, networks, software,
data storage devices (such as hard disks, USB disks etc), the Internet, websites,
emails and even electronic devices such as cell phones, ATM machines etc. Law
encompasses the rules of conduct: 1. that have been approved by the
government, and 2. which are in force over a certain territory, and 3. which must
be obeyed by all persons on that territory. Violation of these rules could lead to
government action such as imprisonment or fine or an order to pay
compensation. Cyber law encompasses laws relating to: 1. Cyber Crimes 2.
Electronic and Digital Signatures 3. Intellectual Property 4. Data Protection and
Privacy Cyber crimes are unlawful acts where the computer is used either as a
tool or a target or both. The enormous growth in electronic commerce (e-
commerce) and online share trading has led to a phenomenal spurt in incidents
of cyber crime. These crimes are discussed in detail further in this chapter. A
comprehensive discussion on the Indian law relating to cyber crimes and digital
evidence is provided in the ASCL publication titled “Cyber Crimes & Digital
Evidence – Indian Perspective”. Electronic signatures are used to authenticate
electronic records. Digital signatures are one type of electronic signature. Digital
signatures satisfy three major legal requirements – signer authentication,
message authentication and message integrity. The technology and efficiency of
digital signatures makes them more trustworthy than hand written signatures.
These issues are discussed in detail in the ASCL publication titled “Ecommerce –
2
Legal Issues”. Intellectual property is refers to creations of the human mind e.g. a
story, a song, a painting, a design etc. The facets of intellectual property that
relate to cyber space are covered by cyber law. Fundamentals of Cyber Law ©
2008 Rohas Nagpal. All rights reserved. - 5 - These include: • copyright law in
relation to computer software, computer source code, websites, cell phone
content etc, • software and source code licences • trademark law with relation to
domain names, meta tags, mirroring, framing, linking etc • semiconductor law
which relates to the protection of semiconductor integrated circuits design and
layouts, • patent law in relation to computer hardware and software. These issues
are discussed in detail in the ASCL publication titled “IPR & Cyberspace - the
Indian Perspective”. Data protection and privacy laws aim to achieve a fair
balance between the privacy rights of the individual and the interests of data
controllers such as banks, hospitals, email service providers etc. These laws
seek to address the challenges to privacy caused by collecting, storing and
transmitting data using new technologies. Fundamentals of Cyber Law - 6 - ©
2008 Rohas Nagpal. All rights reserved. 1.2 Need for Cyber Law There are
various reasons why it is extremely difficult for conventional law to cope with
cyberspace. Some of these are discussed below. 1. Cyberspace is an intangible
dimension that is impossible to govern and regulate using conventional law. 2.
Cyberspace has complete disrespect for jurisdictional boundaries. A person in
India could break into a bank’s electronic vault hosted on a computer in USA and
transfer millions of Rupees to another bank in Switzerland, all within minutes. All
he would need is a laptop computer and a cell phone. 3. Cyberspace handles
gigantic traffic volumes every second. Billions of emails are crisscrossing the
globe even as we read this, millions of websites are being accessed every
minute and billions of dollars are electronically transferred around the world by
banks every day. 4. Cyberspace is absolutely open to participation by all. A
tenyear-old in Bhutan can have a live chat session with an eightyear-old in Bali
without any regard for the distance or the anonymity between them. 5.
Cyberspace offers enormous potential for anonymity to its members. Readily
available encryption software and steganographic tools that seamlessly hide
3
information within image and sound files ensure the confidentiality of information
exchanged between cyber-citizens. 6. Cyberspace offers never-seen-before
economic efficiency. Billions of dollars worth of software can be traded over the
Internet without the need for any government licenses, shipping and handling
charges and without paying any customs duty. 7. Electronic information has
become the main object of cyber crime. It is characterized by extreme mobility,
which exceeds by far the mobility of persons, goods or other services.
International computer networks can transfer huge amounts of data around the
globe in a matter of seconds. 8. A software source code worth crores of rupees
or a movie can be pirated across the globe within hours of their release. 9. Theft
of corporeal information (e.g. books, papers, CD ROMs, floppy disks) is easily
covered by traditional penal provisions. However, the problem begins when
electronic records are copied quickly, inconspicuously and often via
telecommunication facilities. Here the “original” information, so to say, remains in
the “possession” of the “owner” and yet information gets stolen. Fundamentals of
Cyber Law © 2008 Rohas Nagpal. All rights reserved. - 7 - 1.3 Jurisprudence of
Indian Cyber Law The primary source of cyber law in India is the Information
Technology Act, 2000 (IT Act) which came into force on 17 October 2000. The
primary purpose of the Act is to provide legal recognition to electronic commerce
and to facilitate filing of electronic records with the Government. The IT Act also
penalizes various cyber crimes and provides strict punishments (imprisonment
terms upto 10 years and compensation up to Rs 1 crore). An Executive Order
dated 12 September 2002 contained instructions relating provisions of the Act
with regard to protected systems and application for the issue of a Digital
Signature Certificate. Minor errors in the Act were rectified by the Information
Technology (Removal of Difficulties) Order, 2002 which was passed on 19
September 2002. The IT Act was amended by the Negotiable Instruments
(Amendments and Miscellaneous Provisions) Act, 2002. This introduced the
concept of electronic cheques and truncated cheques. Information Technology
(Use of Electronic Records and Digital Signatures) Rules, 2004 has provided the
necessary legal framework for filing of documents with the Government as well
4
as issue of licenses by the Government. It also provides for payment and receipt
of fees in relation to the Government bodies. On the same day, the Information
Technology (Certifying Authorities) Rules, 2000 also came into force. These rules
prescribe the eligibility, appointment and working of Certifying Authorities (CA).
These rules also lay down the technical standards, procedures and security
methods to be used by a CA. These rules were amended in 2003, 2004 and
2006. Note: The Act, rules, regulations, orders etc referred to in this section are
discussed in more detail in the Chapter 3 titled “Introduction to Indian Cyber
Law”. Fundamentals of Cyber Law - 8 - © 2008 Rohas Nagpal. All rights
reserved. Information Technology (Certifying Authority) Regulations, 2001 came
into force on 9 July 2001. They provide further technical standards and
procedures to be used by a CA. Two important guidelines relating to CAs were
issued. The first are the Guidelines for submission of application for license to
operate as a Certifying Authority under the IT Act. These guidelines were issued
on 9th July 2001. Next were the Guidelines for submission of certificates and
certification revocation lists to the Controller of Certifying Authorities for
publishing in National Repository of Digital Certificates. These were issued on
16th December 2002. The Cyber Regulations Appellate Tribunal (Procedure)
Rules, 2000 also came into force on 17th October 2000. These rules prescribe
the appointment and working of the Cyber Regulations Appellate Tribunal
(CRAT) whose primary role is to hear appeals against orders of the Adjudicating
Officers. The Cyber Regulations Appellate Tribunal (Salary, Allowances and
other terms and conditions of service of Presiding Officer) Rules, 2003 prescribe
the salary, allowances and other terms for the Presiding Officer of the CRAT.
Information Technology (Other powers of Civil Court vested in Cyber Appellate
Tribunal) Rules 2003 provided some additional powers to the CRAT. On 17th
March 2003, the Information Technology (Qualification and Experience of
Adjudicating Officers and Manner of Holding Enquiry) Rules, 2003 were passed.
These rules prescribe the qualifications required for Adjudicating Officers. Their
chief responsibility under the IT Act is to adjudicate on cases such as
unauthorized access, unauthorized copying of data, spread of viruses, denial of
5
service attacks, disruption of computers, computer manipulation etc. These rules
also prescribe the manner and mode of inquiry and adjudication by these
officers. The appointment of adjudicating officers to decide the fate of multi-crore
cyber crime cases in India was the result of the public interest litigation filed by
students of Asian School of Cyber Laws (ASCL). Fundamentals of Cyber Law ©
2008 Rohas Nagpal. All rights reserved. - 9 - The Government had not appointed
the Adjudicating Officers or the Cyber Regulations Appellate Tribunal for almost
2 years after the passage of the IT Act. This prompted ASCL students to file a
Public Interest Litigation (PIL) in the Bombay High Court asking for a speedy
appointment of Adjudicating officers. The Bombay High Court, in its order dated
9th October 2002, directed the Central Government to announce the
appointment of adjudicating officers in the public media to make people aware of
the appointments. The division bench of the Mumbai High Court consisting of
Hon’ble Justice A.P. Shah and Hon’ble Justice Ranjana Desai also ordered that
the Cyber Regulations Appellate Tribunal be constituted within a reasonable time
frame. Following this the Central Government passed an order dated 23rd March
2003 appointing the “Secretary of Department of Information Technology of each
of the States or of Union Territories” of India as the adjudicating officers. The
Information Technology (Security Procedure) Rules, 2004 came into force on
29th October 2004. They prescribe provisions relating to secure digital signatures
and secure electronic records. Also relevant are the Information Technology
(Other Standards) Rules, 2003. An important order relating to blocking of
websites was passed on 27th February, 2003. Computer Emergency Response
Team (CERT-IND) can instruct Department of Telecommunications (DOT) to
block a website. The Indian Penal Code (as amended by the IT Act) penalizes
several cyber crimes. These include forgery of electronic records, cyber frauds,
destroying electronic evidence etc. Digital Evidence is to be collected and proven
in court as per the provisions of the Indian Evidence Act (as amended by the IT
Act). In case of bank records, the provisions of the Bankers’ Book Evidence Act
(as amended by the IT Act) are relevant. Investigation and adjudication of cyber
crimes is done in accordance with the provisions of the Code of Criminal
6
Procedure and the IT Act. The Reserve Bank of India Act was also amended by
the IT Act. Fundamentals of Cyber Law - 10 - © 2008 Rohas Nagpal. All rights
reserved. 1.4 Evolution of key terms and concepts To understand the
jurisprudence of cyber law, it is essential to examine how the definitions of key
terms and concepts have developed. 1.4.1 Computer According to section 2(1)(i)
of the IT Act "computer" means any electronic magnetic, optical or other high-
speed data processing device or system which performs logical, arithmetic, and
memory functions by manipulations of electronic, magnetic or optical impulses,
and includes all input, output, processing, storage, computer software, or
communication facilities which are connected or related to the computer in a
computer system or computer network; Simply put, a computer has the following
characteristics: 1. It is a high-speed data processing device or system. 2. It may
be electronic, magnetic, optical etc. 3. It performs logical, arithmetic, and memory
functions 4. These functions are performed by manipulations of electronic,
magnetic or optical impulses. Computer includes 1. all input facilities, 2. all output
facilities, 3. all processing facilities, 4. all storage facilities, 5. all computer
software facilities, and 6. all communication facilities which are connected or
related to the computer in a computer system or network. Let us examine the
important terms used in this definition: According to American law, electronic
means relating to technology having electrical, digital, magnetic, wireless, optical,
electromagnetic, or similar capabilities. [Title 15, Chapter 96, Sub-chapter I,
section 7006(2), US Code]. Fundamentals of Cyber Law © 2008 Rohas Nagpal.
All rights reserved. - 11 - Magnetic means having the properties of a magnet; i.e.
of attracting iron or steel e.g. parts of a hard disk are covered with a thin coat of
magnetic material. Simply put, an optical computer uses light instead of electricity
to manipulate, store and transmit data. Development of this technology is still in a
nascent stage. Optical data processing can perform several operations
simultaneously (in parallel) much faster and easier than electronics. Optical fibre
is the medium and the technology associated with the transmission of information
as light pulses along a glass or plastic wire or fibre. Optical fibre carries much
more information than conventional copper wire and is in general not subject to
7
electromagnetic interference. A data processing device or system is a
mechanism that can perform pre-defined operations upon information. The
following are illustrations of functions in relation to a conventional desktop
personal computer. • saving information on a hard disk, • logging on to the
Internet, • retrieving stored information, • calculating mathematical formulae.
Logical functions, simply put, refer to nonarithmetic processing that arranges
numbers or letters according to a predefined format e.g. arranging numbers in
ascending order, arranging words alphabetically etc. Arithmetic functions, simply
put, are operations concerned or involved with mathematics and the addition,
subtraction, multiplication and division of numbers. Memory functions, simply put,
refer to operations involving storage of data. Fundamentals of Cyber Law - 12 - ©
2008 Rohas Nagpal. All rights reserved. Input facilities are those which transfer
information from the outside world into a computer system. E.g. keyboard,
mouse, touch screen, joystick, microphone, scanner etc. Output facilities are
those which transfer data out of the computer in the form of text, images, sounds
etc to a display screen, printer, storage device etc. Hard disks, USB disks,
floppies act as both input and output facilities. Processing facilities primarily
refers to the Central Processing Unit (CPU) of a computer. Referred to as the
“brain” of the computer, the CPU processes instructions and data. Storage
facilities include hard disks and other data storage facilities. This term would also
include the physical cabinet in which a computer is housed. Computer software
facilities refer to the operating system and application software that are essential
for a computer to function in a useful manner. Communication facilities include
the network interface cards, modems and other devices that enable a computer
to communicate with other computers. Illustrations Considering the wide
definition given to the term computer by the IT Act the following are examples of
“computers”: • desktop personal computers • mobile phones • microwave ovens •
computer printers • scanners • installed computer software • Automatic Teller
Machine (ATM) • “smart” homes which can be controlled through the Internet
Fundamentals of Cyber Law © 2008 Rohas Nagpal. All rights reserved. - 13 -
Relevant Case Law In an interesting case, the Karnataka High Court laid down
8
that ATMs are not computers, but are electronic devices under the Karnataka
Sales Tax Act, 1957. Diebold Systems Pvt Ltd [a manufacturer and supplier of
Automated Teller Machines (ATM)] had sought a clarification from the Advance
Ruling Authority (ARA) in Karnataka on the rate of tax applicable under the
Karnataka Sales Tax Act, 1957 on sale of ATMs. The majority view of the ARA
was to classify ATMs as "computer terminals" liable for 4% basic tax as they
would fall under Entry 20(ii)(b) of Part 'C' of Second Schedule to the Karnataka
Sales Tax Act. The Chairman of the ARA dissented from the majority view. In his
opinion, ATMs would fit into the description of electronic goods, parts and
accessories thereof. They would thus attract 12% basic tax and would fall under
Entry 4 of Part 'E' of the Second Schedule to the KST Act. The Commissioner of
Commercial Taxes was of the view that the ARA ruling was erroneous and
passed an order that ATMs cannot be classified as computer terminals. The High
Court of Karnataka acknowledged that the IT Act provided an enlarged definition
of "computers". However, the Court held that such a wide definition could not be
used for interpreting a taxation related law such as the Karnataka Sales Tax Act,
1957. The High Court also said that an ATM is not a computer by itself and it is
connected to a computer that performs the tasks requested by the persons using
the ATM. The computer is connected electronically to many ATMs that may be
located at some distance from the computer. Diebold Systems Pvt Ltd vs.
Commissioner of Commercial Taxes ILR 2005 KAR 2210, [2006] 144 STC
59(Kar) Fundamentals of Cyber Law - 14 - © 2008 Rohas Nagpal. All rights
reserved. 1.4.2 Data According to section 2(1)(o) of the IT Act “data” means a
representation of information, knowledge, facts, concepts or instructions which
are being prepared or have been prepared in a formalised manner, and is
intended to be processed, is being processed or has been processed in a
computer system or computer network, and may be in any form (including
computer printouts magnetic or optical storage media, punched cards, punched
tapes) or stored internally in the memory of the computer; Simply put, data is 1. a
representation of information, knowledge, facts, concepts or instructions, 2.
prepared or being prepared in a formalized manner, 3. processed, being
9
processed or sought to be processed in a computer. Illustration Sanya is typing a
document on her computer. The moment she presses keys on her keyboard, the
corresponding alphabets are shown on her screen. But in the background some
parts of the document are stored in the RAM of her computer (being processed)
while other parts are stored on the hard disk (processed). At any given instant
some information would be passing from her keyboard to the computer (sought
to be processed). Data can be in many forms such as 1. computer printouts, 2.
magnetic storage media e.g. hard disks, 3. optical storage media e.g. CD ROMs,
DVDs, VCDs 4. punched cards or tapes i.e. a paper card in which holes are
punched. Illustration The electronic version of this book stored on your computer
or on a CD would be “data”. A printout of the electronic version of this book will
also be “data”. Fundamentals of Cyber Law © 2008 Rohas Nagpal. All rights
reserved. - 15 - 1.4.3 Computer Software Computer software is a general term
that describes a collection of: 1. computer programs, 2. procedures and 3.
documentation. Computer hardware, on the other hand, consists of the physical
devices that can store and execute computer software. Illustration Sanya
downloads the OpenOffice software from the Internet. In effect what she
downloads is an executable file. She double-clicks on the executable file and
begins to install the software on her computer. During the installation she
specifies the part (drive and folder name etc) of the hard disk where the software
files must be saved. During the installation the software also makes entries in
system files (e.g. registry) maintained by the operating system (e.g. Windows
XP). Once the installation is complete, Sanya can run the software. When she
runs the software, relevant software files get loaded into RAM and are
subsequently executed in the CPU (central processing unit). Computer software
can be divided into two fundamental categories – system software and
application software. Application software uses the computer directly for
performing user tasks. System software enables the application software to use
the computer’s capabilities. Analogy An oil company drills for oil on the sea bed.
This oil is then processed and provided to the customer in the form of petrol for
his car. Here the petrol is like the application software – it helps the user to run
10
his car. The oil company is like the system software – it enables the petrol to be
taken to the user. Fundamentals of Cyber Law - 16 - © 2008 Rohas Nagpal. All
rights reserved. System software can be of various types such as: 1. operating
systems which form the platform for all other software on a computer, 2. device
drivers which allow computer programs to interact with a hardware devices such
as printers, scanners etc, 3. programming tools which help programmers to
develop and test other programs, 4. compilers which compile the source code
into the object code, 5. linkers which link object code files (and libraries) to
generate an executable file, 6. utility software that helps manage and tune the
computer hardware, operating system or application software. Application
software include 1. word processors (e.g. Microsoft Word), 2. spreadsheets (e.g.
Microsoft Excel) 3. presentation software (e.g. Microsoft Powerpoint) 4. media
players (e.g Microsoft Windows Media Player) 5. games (e.g. Need for Speed,
Age of Empires) 6. forensic software (e.g. Winhex, X-Ways Forensics) 7.
encryption software (e.g. PGP) 8. Internet browsers (e.g. Mozilla Firefox) 9. FTP
clients (e.g. FireFTP) and hundreds of other types of software. Fundamentals of
Cyber Law © 2008 Rohas Nagpal. All rights reserved. - 17 - 1.4.4 Computer
System According to section 2(1)(l) of the IT Act "computer system" means a
device or collection of devices, including input and output support devices and
excluding calculators which are not programmable and capable of being used in
conjunction with external files, which contain computer programs, electronic
instructions, input data and output data, that performs logic, arithmetic, data
storage and retrieval, communication control and other functions. Simply put, a
computer system has the following characteristics: 1. it is a device or collection of
devices which contain data or programs, 2. it performs functions such as logic,
storage, arithmetic etc, 3. it includes input and output support systems, 4. it
excludes non-programmable calculators. Illustrations: • Laptop computers • Cell
phones • Sophisticated laser printers • Hi-end scanners The American courts
have held that the Internet falls under the definition of computer system and the
use of email is accessing a computer. State of Pennsylvania v. Murgalis [No. 189
MDA 1999 (Pa. Super.Ct., June 2, 200)] Fundamentals of Cyber Law - 18 - ©
11
2008 Rohas Nagpal. All rights reserved. 1.4.5 Computer Network According to
section 2(1)(j) of the IT Act "computer network" means the interconnection of one
or more computers through: (i) the use of satellite, microwave, terrestrial line or
other communication media and (ii) terminals or a complex consisting of two or
more interconnected computers whether or not the interconnection is
continuously maintained. Simply put, a computer network is The interconnection
of one or more computers through: • satellite Satellite Internet connection is an
arrangement in which the outgoing and incoming data travels through a satellite.
Each subscriber’s hardware includes a satellite dish antenna and a transceiver
(transmitter / receiver). The dish antenna transmits and receives signals. •
microwave The term microwave refers to electromagnetic waves of a particular
frequency. Microwave frequencies are used in radars, Bluetooth devices, radio
astronomy, GSM mobile phone networks, broadcasting and telecommunication
transmissions etc. • terrestrial line or Terrestrial lines include fibre optic cables,
telephone lines etc. • other communication media Communication media refers to
any instrument or means that facilitates the transfer of data, as between a
computer and peripherals or between two computers. Other ways in which two
computers can be connected include cables, hubs, switches etc. Head Office 6th
Floor, Pride Senate, Behind Indiabulls Mega Store, Senapati Bapat Road, Pune -
411016. India Contact Numbers +91-20-25667148 +91-20-40033365 +91-20-
64000000 +91-20-64006464 Email: info@asianlaws.org URL:
www.asianlaws.org www.asianlaws.org
12
international trade, trade relations and the legal systems. In this emerging scenario
fusion of intellect and technology has struck the world and stretched our minds,
capabilities and capacities irreversibly. This irreversibility in turn calls for questioning as
to how to manage and gain from the globalisation process in the digital environment. As
the quest for greater mobility, efficiency and integration requires changed governance
structures, the need for harmonization of laws and international cooperation for their
enforcement, is well recognised. In the changing corporate landscape, in which national
economies seek to integrate themselves through the vehicle of information technology to
create new economic order, the existing governance systems have, to a large extent,
become redundant and appears incapable of maintaining its relevance and thus
providing impetus for corporate law reforms and evolving uniform e-governance norms
across the world. Therefore, modernisation of laws assumes priority in the economic
reforms process as alignment of law with changing norms is an essential prerequisite for
a growing economy and promoting economic development. These modern legislations
have to deal with the impact of changing trends in the economy and technology.
The basic objective of the 29th National Convention is essentially to gauge the direction
and evaluate the magnitude of developments in corporate and cyber laws and to
deliberate upon their desired orientation.
The recognition that the ultimate goal in the new economic order is that
corporations are governed in a transparent manner and behave responsively to
the societal demands, the importance of corporate behaviour to its performance,
competitiveness and growth cannot be overstated. It is in this context that the
developments in company law have made qualitative improvements in
substantive as well as procedural aspects of law. Corporate self-regulation has
been encouraged with proper checks and balances. The elements of good
corporate governance, investor protection and shareholder democracy have
been strengthened. However, corporate realities in the wake of globalisation and
advancement in information technology remain unattended. In this context
13
directors meeting on phone, consolidation of accounts, limited liability partnership
and virtual companies are issues among others requiring focused attention of the
Government. Differences in national law and procedures create consequences
for companies with assets and liabilities in other countries and requires putting in
place an entirely new legislation compatible with international trends, capable of
providing quick, expeditious and efficient winding up procedure. It is in this
context that the Government is in the process of introducing further changes in
the company law.
The First Technical Session will discuss in detail the developments in company
law and deliberate upon various contemporary issues necessary for better
corporate governance structure in an E-enabled environment.
14
the regulatory system, drawing from own experiences, including periodic crises,
and following major changes in international regulatory experiments.
The Second Technical Session will therefore discuss the impact of global
integration on Indian financial system and securities market and developments in
securities laws to make the integration smooth. The discussion will also focus on
the changes taking place in the regulatory framework for financial markets.
15
on the combination of trade liberalisation, economic development and
environmental protection.
Thus, this penultimate Technical Session will focus its attention on reforms in
trade related laws and charting a future agenda for making them more aligned to
emerging new economic order and the economic policies. The Intellectual
Property Laws, Competition Bill, mergers, acquisition and combinations will
receive added emphasis.
16
It is in this context that the concluding Technical Session will discuss global
developments in regulatory framework for internet and cyber space. The
discussion will also focus on various aspects of cyber laws in India and the
progress on international cooperation.
MODULE II
CYBER LAW: LEGAL ISSUES AND
CHALLENGES IN INDIA, USA AND EU
I) DATA PROTECTION ,CYBERSECURITY
Legal aspects of computing are related to the overlapping areas
of law andcomputing.
The first one, historically, was information technology law (or IT law). ("IT law"
should not be confused with the IT aspects of law itself, although there are
overlapping issues.) IT law consists of the law (statutes, regulations, and
caselaw) which governs the digital dissemination of both (digitalized) information
and software itself (see history of free and open-source software), and legal
aspects of information technologymore broadly. IT law covers mainly
the digital information (including information security and electronic commerce)
aspects and it has been described as "paper laws" for a "paperless environment".
Cyberlaw or Internet law is a term that encapsulates the legal issues related to
use of the Internet. It is less a distinct field of law than intellectual
property or contract law, as it is a domain covering many areas of law and
regulation. Some leading topics include internet access and
usage, privacy, freedom of expression, and jurisdiction.
17
"Computer law" is a third term which tends to relate to issues including both
Internet law and the patent and copyright aspects of computer technology and
software.
Areas of law[edit]
See also: Software law
There are intellectual property in general, including copyright, rules on fair use,
and special rules on copy protection for digital media, and circumvention of such
schemes. The area of software patents is controversial, and still evolving in
Europe and elsewhere.[1]
The related topics of software licenses, end user license agreements, free
software licenses and open-source licenses can involve discussion of product
liability, professional liability of individual developers, warranties, contract law,
trade secrets and intellectual property.
There are rules on the uses to which computers and computer networks may be
put, in particular there are rules onunauthorized access, data
privacy and spamming. There are also limits on the use of encryption and of
equipment which may be used to defeat copy protection schemes. The export of
hardware and software between certain states within theUnited States is also
controlled.[citation needed]
There are laws governing trade on the Internet, taxation, consumer protection,
and advertising.
18
In certain circumstances and jurisdictions, computer communications may be
used in evidence, and to establish contracts. New methods of tapping and
surveillance made possible by computers have wildly differing rules on how they
may be used by law enforcement bodies and as evidence in court.
Some states limit access to the Internet, by law as well as by technical means.
Jurisdiction[edit]
Issues of jurisdiction and sovereignty have quickly come to the fore in the era of
the Internet.
19
conditions of our world, not yours. Our world is different".[2] A more balanced
alternative is the Declaration of Cybersecession: "Human beings possess a mind,
which they are absolutely free to inhabit with no legal constraints. Human
civilization is developing its own (collective) mind. All we want is to be free to
inhabit it with no legal constraints. Since you make sure we cannot harm you,
you have no ethical right to intrude our lives. So stop intruding!" [3]Other scholars
argue for more of a compromise between the two notions, such as Lawrence
Lessig's argument that "The problem for law is to work out how the norms of the
two communities are to apply given that the subject to whom they apply may be
in both places at once" (Lessig, Code 190).
With the internationalism of the Internet, jurisdiction is a much more tricky area
than before, and courts in different countries have taken various views on
whether they have jurisdiction over items published on the Internet, or business
agreements entered into over the Internet. This can cover areas from contract
law, trading standards and tax, through rules on unauthorized access, data
privacy and spamming to more political areas such as freedom of speech,
censorship, libel or sedition.
Certainly, the frontier idea that the law does not apply in "Cyberspace" is not true.
In fact, conflicting laws from different jurisdictions may apply, simultaneously, to
the same event. The Internet does not tend to make geographical and
jurisdictional boundaries clear, but Internet users remain in physical jurisdictions
and are subject to laws independent of their presence on the Internet. [4] As such,
a single transaction may involve the laws of at least three jurisdictions:
20
So a user in one of the United States conducting a transaction with another user
in Britain through a server in Canada could theoretically be subject to the laws of
all three countries as they relate to the transaction at hand.[5]
In practical terms, a user of the Internet is subject to the laws of the state or
nation within which he or she goes online. Thus, in the U.S., Jake Baker faced
criminal charges for his e-conduct, and numerous users of peer-to-peer file-
sharingsoftware were subject to civil lawsuits for copyright infringement. This
system runs into conflicts, however, when these suits are international in nature.
Simply put, legal conduct in one nation may be decidedly illegal in another. In
fact, even different standards concerning the burden of proof in a civil case can
cause jurisdictional problems. For example, an American celebrity, claiming to be
insulted by an online American magazine, faces a difficult task of winning a
lawsuit against that magazine for libel. But if the celebrity has ties, economic or
otherwise, to England, he or she can sue for libel in the British court system,
where the standard of "libelous speech" is far lower.
Internet Law[edit]
The law that regulates the Internet must be considered in the context of the
geographic scope of the Internet and political borders that are crossed in the
process of sending data around the globe. The unique global structure of
the Internetraises not only jurisdictional issues, that is, the authority to make and
enforce laws affecting the Internet, but also questions concerning the nature of
the laws themselves.
In their essay "Law and Borders -- The Rise of Law in Cyberspace", David R.
Johnson and David G. Post argue that it became necessary for the Internet to
21
govern itself and instead of obeying the laws of a particular country, "Internet
citizens" will obey the laws of electronic entities like service providers. Instead of
identifying as a physical person, Internet citizens will be known by their
usernames or email addresses (or, more recently, by their Facebook accounts).
Over time, suggestions that the Internet can be self-regulated as being its own
trans-national "nation" are being supplanted by a multitude of external and
internal regulators and forces, both governmental and private, at many different
levels. The nature of Internet law remains a legal paradigm shift, very much in
the process of development.[6]
1. Law: What Lessig calls "Standard East Coast Code," from laws enacted
by government in Washington D.C. This is the most self-evident of the
four modes of regulation. As the numerous United States statutes, codes,
regulations, and evolving case law make clear, many actions on the
Internet are already subject to conventional laws, both with regard to
transactions conducted on the Internet and content posted. Areas like
gambling, child pornography, and fraud are regulated in very similar ways
online as off-line. While one of the most controversial and unclear areas
of evolving laws is the determination of what forum has subject matter
jurisdiction over activity (economic and other) conducted on the internet,
particularly as cross border transactions affect local jurisdictions, it is
certainly clear that substantial portions of internet activity are subject to
traditional regulation, and that conduct that is unlawful off-line is
presumptively unlawful online, and subject to traditional enforcement of
similar laws and regulations.
22
2. Architecture: What Lessig calls "West Coast Code," from the
programming code of the Silicon Valley. These mechanisms concern the
parameters of how information can and cannot be transmitted across the
Internet. Everything from internet filtering software (which searches for
keywords or specific URLs and blocks them before they can even appear
on the computer requesting them), to encryption programs, to the very
basic architecture of TCP/IP protocols and user interfaces falls within this
category of mainly private regulation. It is arguable that all other modes of
internet regulation either rely on, or are significantly affected by, West
Coast Code.
3. Norms: As in all other modes of social interaction, conduct is regulated by
social norms and conventions in significant ways. While certain activities
or kinds of conduct online may not be specifically prohibited by the code
architecture of the Internet, or expressly prohibited by traditional
governmental law, nevertheless these activities or conduct are regulated
by the standards of the community in which the activity takes place, in this
case internet "users." Just as certain patterns of conduct will cause an
individual to be ostracized from our real world society, so too certain
actions will be censored or self-regulated by the norms of whatever
community one chooses to associate with on the internet.
4. Markets: Closely allied with regulation by social norms, markets also
regulate certain patterns of conduct on the Internet. While economic
markets will have limited influence over non-commercial portions of the
Internet, the Internet also creates a virtual marketplace for information,
and such information affects everything from the comparative valuation of
services to the traditional valuation of stocks. In addition, the increase in
popularity of the Internet as a means for transacting all forms of
commercial activity, and as a forum for advertisement, has brought the
laws of supply and demand to cyberspace. Market forces of supply and
demand also affect connectivity to the Internet, the cost of bandwidth, and
23
the availability of software to facilitate the creation, posting, and use of
internet content.
These forces or regulators of the Internet do not act independently of each other.
For example, governmental laws may be influenced by greater societal norms,
and markets affected by the nature and quality of the code that operates a
particular system.
Net neutrality[edit]
Another major area of interest is net neutrality, which affects the regulation of the
infrastructure of the Internet. Though not obvious to most Internet users, every
packet of data sent and received by every user on the Internet passes through
routers and transmission infrastructure owned by a collection of private and
public entities, including telecommunications companies, universities, and
governments. This is turning into one of the most critical aspects of cyberlaw and
has immediate jurisdictional implications, as laws in force in one jurisdiction have
the potential to have dramatic effects in other jurisdictions when host servers or
telecommunications companies are affected.
Article 19 of the Universal Declaration of Human Rights calls for the protection
of free expression in all media.
These complexities have taken many forms, three notable examples being
the Jake Baker incident, in which the limits of obscene Internet postings were at
issue, the controversial distribution of the DeCSS code, and Gutnick v Dow
24
Jones, in which libel laws were considered in the context of online publishing.
The last example was particularly significant because it epitomized the
complexities inherent to applying one country's laws (nation-specific by definition)
to the internet (international by nature). In 2003, Jonathan Zittrain considered this
issue in his paper, "Be Careful What You Ask For: Reconciling a Global Internet
and Local Law".[7]
In the UK the case of Keith-Smith v Williams confirmed that existing libel laws
applied to internet discussions.[8]
In terms of the tort liability of ISPs and hosts of internet forums, Section 230(c) of
the Communications Decency Act may provide immunity in the United States.[9]
Internet censorship[edit]
Main article: Internet censorship
25
expression on the one hand and legitimate government concerns on the other
hand.[12]
At the close of the 19th Century, concerns about privacy captivated the general
public, and led to the 1890 publication of Samuel Warren and Louis Brandeis:
"The Right to Privacy".[13] The vitality of this article can be seen today, when
examining the USSC decision of Kyllo v. United States, 533 U.S. 27 (2001)
where it is cited by the majority, those in concurrence, and even those in
dissent.[14]
In 1967, the United States Supreme Court decision in Katz v United States, 389
U.S. 347 (1967) established what is known as the Reasonable Expectation of
Privacy Test to determine the applicability of the Fourth Amendment in a given
situation. It should be noted that the test was not noted by the majority, but
instead it was articulated by the concurring opinion of Justice Harlan. Under this
test, 1) a person must exhibit an "actual (subjective) expectation of privacy" and
2) "the expectation [must] be one that society is prepared to recognize as
'reasonable.'"
26
Privacy Act of 1974[edit]
Inspired by the Watergate scandal, the United States Congress enacted the
Privacy Act of 1974 just four months after the resignation of then
President Richard Nixon. In passing this Act, Congress found that "the privacy of
an individual is directly affected by the collection, maintenance, use, and
dissemination of personal information by Federal agencies" and that "the
increasing use of computers and sophisticated information technology, while
essential to the efficient operations of the Government, has greatly magnified the
harm to individual privacy that can occur from any collection, maintenance, use,
or dissemination of personal information."
For more information see: Privacy Act of 1974
27
in the domestic venue into three parts: 1) Wiretap Act, 2) Stored Communications
Act, and 3) The Pen Register Act.
Types of Communication
The DPPA was passed in response to states selling motor vehicle records to
private industry. These records contained personal information such as
name, address, phone number, SSN, medical information, height, weight,
gender, eye color, photograph and date of birth. In 1994, Congress passed
the Driver's Privacy Protection (DPPA), 18 U.S.C. §§ 2721-2725, to cease
this activity.
For more information see: Driver's Privacy Protection Act
28
to "insure security and confidentiality of customer records and information"
and "protect against unauthorized access" to this information. 15
U.S.C. § 6801
For more information see: Gramm-Leach-Bliley Act
-This Act mandates that intelligence be "provided in its most shareable form"
that the heads of intelligence agencies and federal departments "promote a
culture of information sharing." The IRTPA also sought to establish protection
of privacy and civil liberties by setting up a five-member Privacy and Civil
Liberties Oversight Board. This Board offers advice to both the President of
the United States and the entire executive branch of the Federal Government
concerning its actions to ensure that the branch's information sharing policies
are adequately protecting privacy and civil liberties.
For more information see: Intelligence Reform and Terrorism Prevention Act
29
The Computer Misuse Act 1990[15] enacted by Great Britain on 29 June 1990,
and which came into force on 29 August 1990, is an example of one of the
earliest of such legal enactments. This Act was enacted with an express
purpose of making "provision for securing computer material against
unauthorized access or modification." Certain major provisions of the
Computer Misuse Act 1990 relate to:
The impact of the Computer Misuse Act 1990 has been limited and with the
adoption of the Council of Europe adopts its Convention on Cyber-Crime, it
has been indicated that amending legislation would be introduced in
parliamentary session 2004–05 in order to rectify possible gaps in its
coverage, which are many.
The CMA 1990 has many weaknesses; the most notable is its inability to
cater for, or provide suitable protection against, a host of high tech
attacks/crimes which have became more prevalent in the last decade. Certain
attacks such as DDOS and BOTNET attacks can not be effectively brought to
justice under the CMA. This act has been under review for a number of years.
Computer crimes such as electronic theft are usually prosecuted in the UK
under the legislation that caters for traditional theft (Theft Act 1968), because
the CMA is so ineffective.
India[edit]
Main article: Information Technology Act 2000
30
outside the territorial jurisdiction of Republic of India, by any person
irrespective of his nationality. In order to attract provisions of this Act, such an
offence or contravention should involve a computer, computer system, or
computer network located in India. The IT Act 2000 provides an
extraterritorial applicability to its provisions by virtue of section 1(2) read with
section 75. This Act has 90 sections.
India's The Information Technology Act 2000 has tried to assimilate legal
principles available in several such laws (relating to information technology)
enacted earlier in several other countries, as also various guidelines
pertaining to information technology law. The Act gives legal validity to
electronic contracts, recognition of electronic signatures. This is a modern
legislation which makes acts like hacking,data theft, spreading of virus,
identity theft, defamation (sending offensive messages) pornography, child
pornography, cyber terrorism, a criminal offence. The Act is supplemented by
a number of rules which includes rules for, cyber cafes, electronic service
delivery, data security, blocking of websites. It also has rules for observance
of due diligence by internet intermediaries (ISP's, network service
providers,cyber cafes, etc.). Any person affected by data theft, hacking,
spreading of viruses can apply for compensation from Adjudicator appointed
under Section 46 as well as file a criminal complaint. Appeal from adjudicator
lies to Cyber Appellate Tribunal.
Other[edit]
Many Asian and Middle Eastern nations use any number of combinations of
code-based regulation (one of Lessig's four methods of net regulation) to
block material that their governments have deemed inappropriate for their
citizens to view.PRC, Saudi Arabia and Iran are three examples of nations
31
that have achieved high degrees of success in regulating their citizens'
access to the Internet.[11][18]
Australia - Electronic Transactions Act 1999 (Cth) (also note that there is
State and Territory mirror legislation)
Costa Rica - Digital Signature Law 8454 (2005)
European Union - Electronic Signature Directive (1999/93/EC)
Mexico - E-Commerce Act [2000]
U.S. - Digital Signature And Electronic Authentication Law
U.S. - Electronic Signatures in Global and National Commerce Act
U.S. - Government Paperwork Elimination Act (GPEA)
U.S. - Uniform Commercial Code (UCC)
U.S. - Uniform Electronic Transactions Act - adopted by 46 states
UK - s.7 Electronic Communications Act 2000
32
2. United States Office of Management and Budget
Enforcement agencies[edit]
The Information Technology Laws of various countries, and / or their criminal
laws generally stipulate enforcement agencies, entrusted with the task of
enforcing the legal provisions and requirements.
Over 25 U.S. federal agencies have regulations concerning the use of digital
and electronic signatures.[19]
India[edit]
33
and interpreting agreements in the areas of software licensing and
maintenance, IT consulting, e-commerce, web site hosting and development,
and telecommunications agreements, as well as handling dispute resolution
and assisting with the client's Internet domain name portfolio. An information
technology attorney works with engineering, IT, and other business units and
ensures that customer information gathered by company is collected, stored
and used in compliance with privacy policies and applicable laws.
Duties also include providing high quality, specialized and practical advice in
business-to-business and business-to-consumer arrangements and advising
on issues like IT outsourcing arrangements, software and hardware supply
and implementation agreements. An information technology attorney
contracts for web site developers and consultants in relation to on-line
projects. Provides support and maintains confidentiality/know how
agreements. Contracts for Internet service providers and data protection
advice. An information technology attorney should have a JD degree or an
LL.M degree with admission to the local state bar.
34
Participants
Company directors, secretaries and other senior executives in the corporate and
financial services sector, practising professionals in secretarial, financial, legal
and management disciplines would benefit from participation in the Convention.
Faculty
Eminent persons from the Government & industry, including professionals and
management experts will address the participants and there would be
brainstorming sessions and interactions. Papers received from professional
bodies abroad will also be presented in the Convention
Members who wish to contribute papers for publication in the Souvenir or for
circulation at the Conference are requested to send the same preferably in a
computer floppy or through E-mail (drs@icsi-India.com.) with one hard copy or
those sending only hard copy may send the same in quadruplicate to the Institute
before October 15, 2001. Papers should not normally exceed 15 typed pages.
There will be considered by a Screening Committee and the decision of the
Institute based on the recommendations of the Screening Committee will be final
in all respects. Suitable honorarium will be paid for papers selected for
circulation at the Convention or for publication in the Souvenir.
I) DATA PROTECTION
The Data Protection Act 1998 (DPA) is an Act of Parliament of the United
Kingdom of Great Britain and Northern Ireland which defines UK law on the
processing of data on identifiable living people. It is the main piece of legislation
that governs the protection of personal data in the UK. Although the Act itself
does not mention privacy, it was enacted to bring British law into line with the EU
35
data protection directive of 1995 which required Member States to protect
people's fundamental rights and freedoms and in particular their right to privacy
with respect to the processing of personal data. In practice it provides a way for
individuals to control information about themselves. Most of the Act does not
apply to domestic use,[1] for example keeping a personal address book. Anyone
holding personal data for other purposes is legally obliged to comply with this
Act, subject to some exemptions. The Act defines eight data protection
principles. It also requires companies and individuals to keep personal
information to themselves.
History[edit]
The 1998 Act replaced and consolidated earlier legislation such as the Data
Protection Act 1984 and the Access to Personal Files Act 1987. At the same time
it aimed to implement the European Data Protection Directive. In some aspects,
notably electronic communication and marketing, it has been refined by
subsequent legislation for legal reasons. ThePrivacy and Electronic
Communications (EC Directive) Regulations 2003 altered the consent
requirement for most electronic marketing to "positive consent" such as an opt in
box. Exemptions remain for the marketing of "similar products and services" to
existing customers and enquirers, which can still be given permission on an opt
out basis.
Personal data[edit]
The Act's definition of "personal data" covers any data that can be used to
identify a living individual. Anonymised or aggregated data is not regulated by the
Act, providing the anonymisation or aggregation has not been done in a
reversible way. Individuals can be identified by various means including their
name and address, telephone number or Email address. The Act applies only to
data which is held, or intended to be held, on computers ('equipment operating
36
automatically in response to instructions given for that purpose'), or held in a
'relevant filing system'.[3]
In some cases even a paper address book can be classified as a 'relevant filing
system', for example diaries used to support commercial activities such as a
salesperson's diary.
The Freedom of Information Act 2000 modified the act for public bodies and
authorities, and the Durant case modified the interpretation of the act by
providing case law and precedent.[4]
The Data Protection Act creates rights for those who have their data stored, and
responsibilities for those who store, process or transmit such data. The person
who has their data processed has the right to:[5]
View the data an organisation holds on them. A 'subject access request' can
be obtained for a nominal fee. As of January 2014, the maximum fee is £2 for
requests to credit reference agencies, £50 for health and educational request,
and £10 per individual otherwise,[6]
Request that incorrect information be corrected. If the company ignores the
request, a court can order the data to be corrected or destroyed, and in some
cases compensation can be awarded.[7]
Require that data is not used in any way that may potentially cause damage
or distress.[8]
Require that their data is not used for direct marketing.[9]
1. Personal data shall be processed fairly and lawfully and, in particular, shall
not be processed unless:
1. at least one of the conditions in Schedule 2 is met, and
2. in the case of sensitive personal data, at least one of the conditions
in Schedule 3 is also met.
37
2. Personal data shall be obtained only for one or more specified and lawful
purposes, and shall not be further processed in any manner incompatible
with that purpose or those purposes.
3. Personal data shall be adequate, relevant and not excessive in relation to
the purpose or purposes for which they are processed.
4. Personal data shall be accurate and, where necessary, kept up to date.
5. Personal data processed for any purpose or purposes shall not be kept for
longer than is necessary for that purpose or those purposes.
6. About the rights of individuals e.g.[10] personal data shall be processed in
accordance with the rights of data subjects (individuals).
7. Appropriate technical and organisational measures shall be taken against
unauthorised or unlawful processing of personal data and against
accidental loss or destruction of, or damage to, personal data.
8. Personal data shall not be transferred to a country or territory outside
the European Economic Area unless that country or territory ensures an
adequate level of protection for the rights and freedoms of data subjects
in relation to the processing of personal data.
Personal data should only be processed fairly and lawfully. In order for data to be
classed as 'fairly processed', at least one of these six conditions must be
applicable to that data (Schedule 2).
1. The data subject (the person whose data is stored) has consented ("given
their permission") to the processing;
2. Processing is necessary for the performance of, or commencing, a
contract;
3. Processing is required under a legal obligation (other than one stated in
the contract);
4. Processing is necessary to protect the vital interests of the data subject;
5. Processing is necessary to carry out any public functions;
38
6. Processing is necessary in order to pursue the legitimate interests of the
"data controller" or "third parties" (unless it could unjustifiably prejudice
the interests of the data subject).[11]
Consent[edit]
Except under the below mentioned exceptions, the individual needs to consent to
the collection of their personal information and its use in the purpose(s) in
question. The European Data Protection Directive defines consent as “…any
freely given specific and informed indication of his wishes by which the data
subject signifies his agreement to personal data relating to him being processed”,
meaning the individual may signify agreement other than in writing. However,
non-communication should not be interpreted as consent.
The Data Protection Act also specifies that sensitive personal data must be
processed according to a stricter set of conditions, in particular any consent must
be explicit.[12]
Exceptions[edit]
The Act is structured such that all processing of personal data is covered by the
act, while providing a number of exceptions in Part IV.[1] Notable exceptions are:
39
principles, as well as Part II (subject access rights), Part III (notification), Part
V (enforcement), and Section 55 (Unlawful obtaining of personal data).
Section 29 – Crime and taxation. Data processed for the prevention or
detection of crime, the apprehension or prosecution of offenders, or the
assessment or collection of taxes are exempt from the first data protection
principle.
Section 36 – Domestic purposes. Processing by an individual only for the
purposes of that individual's personal, family or household affairs is exempt
from all the data protection principles, as well as Part II (subject access
rights) and Part III (notification).
Offences[edit]
The Act details a number of civil and criminal offences for which data controllers
may be liable if a data controller has failed to gain appropriate consent from a
data subject. However 'consent' is not specifically defined in the Act; consent is
therefore a common law matter.
40
CYBER SECURITY
41
The choice between writing cybersecurity as two words (cyber security) or one
(cybersecurity) depends on the institution, and there have been discrepancies on
older documents.[1] However, since the U.S. Federal Executive Order (EO)
13636on the subject was spelled “Improving Critical Infrastructure
Cybersecurity”, most forums and media have embraced spelling "cybersecurity"
as a single word.
The proliferation of computers, the social influence of information technology and the
ability to store information in digital form have all required Indian law to be amended to
include provisions on the appreciation of digital evidence. In 2000 Parliament enacted
the Information Technology (IT) Act 2000, which amended the existing Indian statutes to
allow for the admissibility of digital evidence. The IT Act is based on the United Nations
Commission on International Trade Law Model Law on Electronic Commerce and,
together with providing amendments to the Indian Evidence Act 1872, the Indian Penal
Code 1860 and the Banker's Book Evidence Act 1891, it recognizes transactions that
are carried out through electronic data interchange and other means of electronic
communication.
Although the Evidence Act has been in force for many years, it has often been amended
to acknowledge important developments. Amendments have been made to the Evidence
Act to introduce the admissibility of both electronic records and paper-based documents.
Evidence
The definition of 'evidence' has been amended to include electronic records (Section
3(a) of the Evidence Act). Evidence can be in oral or documentary form. The definition of
42
'documentary evidence' has been amended to include all documents, including
electronic records produced for inspection by the court. The term 'electronic records' has
been given the same meaning as that assigned to it under the IT Act, which provides for
"data, record or data generated, image or sound stored, received or sent in an electronic
form or microfilm or computer-generated microfiche".
Admissions
The definition of 'admission' (Section 17 of the Evidence Act) has been changed to
include a statement in oral, documentary or electronic form which suggests an inference
to any fact at issue or of relevance. New Section 22A has been inserted into the
Evidence Act to provide for the relevancy of oral evidence regarding the contents of
electronic records. It provides that oral admissions regarding the contents of electronic
records are not relevant unless the genuineness of the electronic records produced is in
question.
When any statement is part of an electronic record (Section 39 of the Evidence Act), the
evidence of the electronic record must be given as the court considers it necessary in
that particular case to understand fully the nature and effect of the statement and the
circumstances under which it was made. This provision deals with statements that form
part of a longer statement, a conversation or part of an isolated document, or statements
that are contained in a document that forms part of a book or series of letters or papers.
43
Conditions for the admissibility of digital evidence
Before a computer output is admissible in evidence, the following conditions as set out in
Section 65(B)(2) must be fulfilled:
"(2) The conditions referred to in subsection (1) in respect of a computer output shall be the
following, namely:
(a) the computer output containing the information was produced by the computer during the
period over which the computer was used regularly to store or process information for the
purposes of any activities regularly carried on over that period by the person having lawful
control over the use of the computer;
(b) during the said period, information of the kind contained in the electronic record or of the
kind from which the information so contained is derived was regularly fed into the computer in
the ordinary course of the said activities;
(c) throughout the material part of the said period the computer was operating properly or, if not,
then in respect of any period in which it was not operating properly or was out of operation
during that part of the period, was not such as to affect the electronic record or the accuracy of
its contents; and
(d) the information contained in the electronic record reproduces or is derived from such
information fed into the computer in the ordinary course of the said activities.
(3) Where over any period the function of storing or processing information for the purposes of
any activities regularly carried on over that period as mentioned in clause (a) of subsection (2)
was regularly performed by computers, whether:
(d) in any other manner involving the successive operation over that period, in whatever order, of
one or more computers and one or more combinations of computers,
44
all the computers used for that purpose during that period shall be treated for the purposes of this
section as constituting a single computer and references in this section to a computer shall be
construed accordingly."
Section 65B(4) provides that in order to satisfy the conditions set out above, a certificate
of authenticity signed by a person occupying a responsible official position is required.
Such certificate will be evidence of any matter stated in the certificate. The certificate
must:
The certificate must also deal with any of the matters to which the conditions for
admissibility relate.
A fact which is relevant and admissible need not be construed as a proven fact. The
judge must appreciate the fact in order to conclude that it is a proven fact. The exception
to this general rule is the existence of certain facts specified in the Evidence Act that can
be presumed by the court. The Evidence Act has been amended to introduce various
presumptions regarding digital evidence.
Electronic agreements
Section 84A of the Evidence Act provides for the presumption that a contract has been
concluded where the parties' digital signatures are affixed to an electronic record that
purports to be an agreement.
45
Secure electronic records and digital signatures
Section 85B of the Evidence Act provides that where a security procedure has been
applied to an electronic record at a specific time, the record is deemed to be a secure
electronic record from such time until the time of verification. Unless the contrary is
proved, the court is to presume that a secure electronic record has not been altered
since obtaining secure status. The provisions relating to a secure digital signature are
set out in Section 15 of the IT Act. A secure digital signature is a digital signature which,
by application of a security procedure agreed by the parties at the time that it was
affixed, is:
It is presumed that by affixing a secure digital signature the subscriber intends to sign or
approve the electronic record. In respect of digital signature certificates (Section 85C of
the Evidence Act), it is presumed that the information listed in the certificate is correct,
with the exception of information specified as subscriber information that was not verified
when the subscriber accepted the certificate.
Electronic messages
Under the provisions of Section 88A, it is presumed that an electronic message
forwarded by a sender through an electronic mail server to an addressee corresponds
with the message fed into the sender's computer for transmission. However, there is no
presumption regarding the person who sent the message. This provision presumes only
the authenticity of the electronic message and not the sender of the message.
46
place and under the care of the person under whom it would naturally be. At the same
time, custody is not considered improper if the record is proved to have had a legitimate
origin or the circumstances of the particular case are such as to render the origin
probable. The same rule also applies to evidence presented in the form of an electronic
copy of theOfficial Gazette.
The definition of 'banker's book' has been amended to include the printout of data stored
on a floppy disc or any other electro-magnetic device (Section 2(3)). Section 2A provides
that the printout of an entry or a copy of a printout must be accompanied by a certificate
stating that it is a printout of such entry or a copy of such printout by the principal
accountant or branch manager, together with a certificate from a person in charge of the
computer system, containing a brief description of the computer system and the
particulars of its safeguards.
A number of offences were introduced under the provisions of the First Schedule of the
IT Act, which amended the Penal Code with respect to offences for the production of
documents that have been amended to include electronic records. The range of
additional offences includes:
47
record with the intention of preventing the record from being produced or used as
evidence (Section 204 of the Penal Code); and
making any false electronic record (Sections 463 and 465 of the Penal Code).
State of Punjab v Amritsar Beverages Ltd involved a search by the Sales Tax Department
and the seizure of computer hard disks and documents from the dealer's
premises.(1) The computer hard disk was seized under the provisions set out in Section
14 of the Punjab General Sales Tax Act 1948, which requires authorities to return seized
documents within a stipulated timeframe (Section 14 (3)), provided that the dealer or
person concerned is given a receipt for the property. Section 14 reads as follows:
(1) The commissioner or any person appointed to assist him under subsection (1) of section 3 not
below the rank of an [Excise and Taxation Officer], may, for the purpose of the act, require any
dealer referred to in section 10 to produce before him any book, document or account relating to
his business and may inspect, examine and copy the same and make such enquiry from such
Provided that books, documents and accounts of a period more than five years prior to the year
(b) maintain a list of his account books, display it along with his registration certificate and
48
(c) produce, if so required, account books of his business before the Assessing Authority for
(d) retain his account books at the place of his business, unless removed therefrom by an official
for inspection, by any official agency, or by auditors or for any other reason which may be
(3) If any officer referred to in subsection (1) has reasonable ground for believing that any dealer
is trying to evade liability for tax or other dues under this act, and that anything necessary for the
purpose of an investigation into his liability may be found in any book, account, register or
document, he may seize such book, account, register or document, as may be necessary. The
officer seizing the book, account, register or document shall forthwith grant a receipt for the
(a) in the case of a book, account, register or document which was being used at the time of
(b) in any other case, within a period of 60 days from the date of seizure;
return it to the dealer or the person from whose custody it was seized after the examination or
after having such copies or extracts taken therefrom as may be considered necessary, provided
that the dealer or the aforesaid person gives a receipt in writing for the book, account, register or
document returned to him. The officer may, before returning the book, account, register or
document, affix his signature and his official seal at one or more places thereon, and in such case
the dealer or the aforesaid person will be required to mention in the receipt given by him the
number of places where the signature and seal of such officers have been affixed on each book,
49
(4) For the purpose of subsection (2) or subsection (3), an officer referred to in subsection (1)
may enter and search any office, shop, godown, vessel, vehicle or any other place of business of
the dealer or any building or place except residential houses where such officer has reason to
believe that the dealer keeps or is, for the time being, keeping any book, account, register,
(5) The power conferred by subsection (4) shall include the power to open and search any box or
receptacle in which any books, accounts, register or other relevant document of the dealer may
be contained.
(6) Any officer empowered to act under subsection (3) or subsection (4) shall have power to seize
any goods which are found in any office, shop, godown, vessel, vehicle or any other place of
business or any building or place of the dealer, but not accounted for by the dealer in his books,
This section entitles the officer concerned to affix his or her signature and seal at one or
more places on the seized document and to include in the receipt the number of places
where the signature and seal have been affixed. In the case at hand, the officers
concerned called upon the dealer, but the dealer ignored their requests.
After examination, the Sales Tax Authority was required to return all documents seized
within 60 days. However, the authority failed to return the hard disk, claiming that it was
not a document. When the matter came before the Supreme Court, a creative
interpretation was adopted, taking into account the fact that the Punjab General Sales
Tax Act was enacted in 1948 when information technology was far from being
developed. It was determined that the Constitution of India is a document that must be
interpreted in light of contemporary life. This meant that a creative interpretation was
necessary to enable the judiciary to respond to technological developments. The court
was permitted to use its own interpretative principles since Parliament had failed to
amend the statute with regard to developments in the field of science. The court stated
that the Evidence Act, which is part of the procedural laws, should be construed to be an
50
ongoing statute, similar to the Constitution, which meant that in accordance with the
circumstances, a creative interpretation was possible.
It was held that the proper course of action for officers in such circumstances was to
make copies of the hard disk or obtain a hard copy, affix their signatures or official seal
on the hard copy and furnish a copy to the dealer or person concerned.
Evidence recorded on CD
In Jagjit Singh v State of Haryana the speaker of the Legislative Assembly of the State of
Haryana disqualified a member for defection.(2) When hearing the matter, the Supreme
Court considered the appreciation of digital evidence in the form of interview transcripts
from the Zee News television channel, the Aaj Tak television channel and the Haryana
News of Punjab Today television channel. The Supreme Court of India indicated the
extent of the relevance of the digital materials in Paragraph 25 of his ruling:
"The original CDs received from Zee Telefilms, the true translation into English of the transcript
of the interview conducted by the said channel and the original letter issued by Zee Telefilms and
handed over to Ashwani Kumar on his request were filed on June 23 2004. The original CDs
received from Haryana News channel along with the English translation as above and the
original proceedings of the Congress legislative party in respect of proceedings dated June 16
2004 at 11.30am in the Committee room of Haryana Vidhan Sabha containing the signatures of
three out of four independent members were also filed."
In Paragraphs 26 and 27 the court went on to indicate that an opportunity had been
given to the parties to review the materials, which was declined:
"26. It has to be noted that on June 24 2004 counsel representing the petitioners were asked by
the speaker to watch the interviews conducted in New Delhi on June 14 2004 by Zee News and
Haryana News, which were available on the CD as part of the additional evidence with the
application dated June 23 2004 filed by the complainant. The counsel, however, did not agree to
watch the recording which was shown on these two channels. The copies of the application dated
June 23 2004 were handed over to the counsel and they were asked to file the reply by 10am on
June 25 2004. In the replies the petitioners merely denied the contents of the application without
stating how material by way of additional evidence that had been placed on record was not
genuine.
51
27. It is evident from the above facts that the petitioners declined to watch the recording, failed to
show how and what part of it, if any, was not genuine, but merely made general denials and
sought permission to cross-examine Ashwani Kumar and the opportunity to lead evidence."
The speaker was required to rule on the authenticity of the digital recordings, as
indicated at Paragraph 30 of the ruling:
"Under these circumstances, the speaker concluded that 'there is no room for doubting the
authenticity and accuracy of the electronic evidence produced by the petitioner'. The speaker held
that:
The court determined that the electronic evidence placed on record was admissible and
upheld the reliance placed by the speaker on the recorded interview when reaching the
conclusion that the voices recorded on the CD were those of the persons taking action.
The Supreme Court found no infirmity in the speaker's reliance on the digital evidence
and the conclusions reached in Paragraph 31 bear repeating in full:
The comments in this case indicate a trend emerging in Indian courts: judges are
beginning to recognize and appreciate the importance of digital evidence in legal
proceedings.
52
Examination of a witness by video conference
State of Maharashtra v Dr Praful B Desai involved the question of whether a witness can be
examined by means of a video conference.(4) The Supreme Court observed that video
conferencing is an advancement of science and technology which permits seeing,
hearing and talking with someone who is not physically present with the same facility
and ease as if they were physically present. The legal requirement for the presence of
the witness does not mean actual physical presence. The court allowed the examination
of a witness through video conferencing and concluded that there is no reason why the
examination of a witness by video conferencing should not be an essential part of
electronic evidence.
This Supreme Court decision has been followed in other high court rulings (eg, Amitabh
Bagchi v Ena Bagchi).(5) More recently, the High Court of Andhra Pradesh in Bodala
Murali Krishna v Bodala Prathima held that necessary precautions must be taken to
identify the witness and ensure the accuracy of the equipment being used.(6) In addition,
any party wishing to avail itself of the facility of video conferencing must meet the entire
expense.
not only automatically, may give rise to many difficulties especially with
regard to the attribution of liability for the actions of such software. This
53
Furthermore, this paper briefly addresses the issue of what the law ought
The word "transnational" describes crimes that are not only international (that is,
crimes that cross borders between countries), but crimes that by their nature
involve cross-border transference as an essential part of the criminal activity.
Transnational crimes also include crimes that take place in one country, but their
consequences significantly affect another country and transit countries may also
be involved. Examples of transnational crimes include: human trafficking, people
smuggling, smuggling/trafficking of goods (such as arms trafficking and drug
trafficking and illegal animal and plant products and other goods prohibited on
environmental grounds (e.g. banned ozone depleting substances), sex
slavery,terrorism offences, torture and apartheid. Transnational organized
crime (TOC) refers specifically to transnational crime carried out by organized
crime organizations.[2]
54
In failed or failing states[edit]
The international community is confronted with an increasing level of
transnational crime in which criminal conduct in one country has an impact in
another or even several others. Drug trafficking, human trafficking, computer
crimes, terrorism, and a host of other crimes can involve actors operating outside
the borders of a country which might have a significant interest in stemming the
activity in question and prosecuting the perpetrator. Contemporary transnational
crimes take advantage of globalization, trade liberalization and exploding new
technologies to perpetrate diverse crimes and to move money, goods, services
and people instantaneously for purposes of perpetrating violence for political
ends.[3]
55
is found within the territory of the requested state, then the requested state may
arrest the fugitive and subject him or her to its extradition process. The
extradition procedures to which the fugitive will be subjected are dependent on
the law and practice of the requested state.[3]
Aside from mechanisms for the return of fugitives, states have also developed
mechanisms for requesting and obtaining evidence for criminal investigations
and prosecutions. When evidence or other forms of legal assistance, such as
witness statements or the service of documents, are needed from a foreign
sovereign, states may attempt to cooperate informally through their respective
police agencies or, alternatively, resort to what is typically referred to as requests
for “mutual legal assistance”[3] The practice of mutual legal assistance developed
from the comity-based system of letters rogatory, though it is now far more
common for states to make mutual legal assistance requests directly to the
designated “Central Authorities” within each state. In contemporary practice,
such requests may still be made on the basis of reciprocity but may also be
made pursuant to bilateral and multilateral treaties that obligate countries to
provide assistance. Many countries are able to provide a broad range of mutual
legal assistance to other countries even in the absence of a treaty.[
MODULE III
CRIME
56
The Convention on Cybercrime, also known as the Budapest Convention on
Cybercrime or the Budapest Convention, is the first international treatyseeking
to address Internet and computer crime by harmonizing nationallaws, improving
investigative techniques, and increasing cooperation among nations.[1][2] It was
drawn up by the Council of Europe in Strasbourg, France, with the active
participation of the Council of Europe's observer states Canada and Japan.
The Convention and its Explanatory Report was adopted by the Committee of
Ministers of the Council of Europe at its 109th Session on 8 November 2001. It
was opened for signature in Budapest, on 23 November 2001 and it entered into
force on 1 July 2004.[3] As of October 2014, 44 states have ratified the
convention, while a further nine states had signed the convention but not ratified
it.[4]
Objectives[edit]
The Convention is the first international treaty on crimes committed via the
Internet and other computer networks, dealing particularly with infringements of
copyright, computer-related fraud, child pornography, hate crimes, and violations
ofnetwork security.[6] It also contains a series of powers and procedures such as
the search of computer networks and lawful interception.
Its main objective, set out in the preamble, is to pursue a common criminal policy
aimed at the protection of society against cybercrime, especially by adopting
appropriate legislation and fostering international cooperation.
57
Providing for domestic criminal procedural law powers necessary for the
investigation and prosecution of such offences as well as other offences
committed by means of a computer system or evidence in relation to which is
in electronic form
Setting up a fast and effective regime of international cooperation
The following offences are defined by the Convention: illegal access, illegal
interception, data interference, system interference, misuse of devices,
computer-related forgery, computer-related fraud, offences related to child
pornography, and offences related to copyright and neighbouring rights.
It also sets out such procedural law issues as expedited preservation of stored
data, expedited preservation and partial disclosure of traffic data, production
order, search and seizure of computer data, real-time collection of traffic data,
and interception of content data. In addition, the Convention contains a provision
on a specific type of transborder access to stored computer data which does not
require mutual assistance (with consent or where publicly available) and provides
for the setting up of a 24/7 network for ensuring speedy assistance among the
Signatory Parties.
"While balancing civil liberty and privacy concerns, this treaty encourages the
sharing of critical electronic evidence among foreign countries so that law
58
enforcement can more effectively investigate and combat these crimes", said
Senate Majority Leader Bill Frist.[10]
"The Convention includes a list of crimes that each signatory state must
transpose into their own law. It requires the criminalization of such activities
as hacking (including the production, sale, or distribution of hacking tools) and
offenses relating to child pornography, and expands criminal liability for
intellectual property violations. It also requires each signatory state to implement
certain procedural mechanisms within their laws. For example, law enforcement
authorities must be granted the power to compel an Internet service provider to
monitor a person's activities online in real time. Finally, the Convention requires
signatory states to provide international cooperation to the widest extent possible
for investigations and proceedings concerning criminal offenses related to
computer systems and data, or for the collection of evidence in electronic form of
a criminal offense. Law enforcement agencies will have to assist police from
other participating countries to cooperate with their mutual assistance
requests".[11]
59
Congress enacted the PROTECT Act to amend the provision, limiting the ban to
any visual depiction “that is, or is indistinguishable from, that of a minor engaging
in sexually explicit conduct”. 18 U.S.C
The United States will not become a Party to the Additional Protocol to the
Convention on Cybercrime.
60
Uniform Domain-Name Dispute Resolution Policy
61
given TLD. Any person or entity may bring a challenge to a registered
name under the CEDRP.
62
Any person or entity may bring a challenge to a registration under the
ERDRP.
63
The Intellectual Property Defensive Registration Challenge Policy
(IPDRCP) applies to intellectual property defensive registrations in
the .pro TLD, which is restricted to use by certified practicing members
of certain professions (currently the medical, legal, and accounting
professions). An intellectual property defensive registration may be
registered only by the owner of an eligible trademark or service mark
registration. The IPDRCP provides an avenue for challenges to
Intellectual Property Defensive Registrations concerning whether such
registrant meets the Registration Qualifications. Any person or entity
may initiate an IPDRCP proceeding by submitting a challenge in
accordance with the rules.
64
List of Approved Dispute Resolution Service Providers
65
The Sunrise Challenge Policy (SCP) was applied only during the
sunrise period for the .info TLD. Challenges under the Sunrise
Challenge Policy were administered by the registry operator (Afilias). As
the one hundred twenty (120) day sunrise period has closed, parties
disputing the validity of a sunrise registration may utilize the UDRP or
available courts of law. For more information, see theregistry operator's
site.
Proceedings
66
of ICANN's approved dispute-resolution service providers, which can be
found at the following link:
67
Applications should contain:
68
including a statement of applicant's administrative capacity in
terms of number of proceedings initiated on a monthly basis.
69
2. Applicant should propose a list of highly qualified neutrals who
have agreed to serve as panelists. Applicant's list should
include at least twenty persons. Applicants are expected
thoroughly to train the listed neutrals concerning the policy and
rules, the technology of domain names, and the basic legal
principles applicable to domain-name disputes. Accordingly,
excessively long lists of neutrals are discouraged. The
applicant should either present a list of panelists from multiple
countries or, if the applicant initially presents a single-country
list, propose a plan to expand its list to become multinational.
70
intelligence is built into the network itself. The
Net netrality law refers to laws and regulations which enforce the principle of net
neutrality.[1]
71
providers to offer content providers a faster track to send content, thus reversing
their earlier position on net neutrality.[4][5][6] Municipal broadband could provide a
net neutral environment, according to Professor Susan Crawford, a legal and
technology expert at Harvard Law School.[7] On 15 May 2014, the FCC decided to
consider two options regarding Internet services: first, permit fast and slow
broadband lanes, thereby compromising net neutrality; and second, reclassify
broadband as a telecommunicationservice, thereby preserving net
neutrality.[8][9] On 10 November 2014, President Obamarecommended the FCC
reclassify broadband Internet service as a telecommunications service in order to
preserve net neutrality.[10][11] On 26 February 2015, the FCC ruled in favor of net
neutrality by reclassifying broadband access as a telecommunications service
and thus applyingTitle II (common carrier) of the
Common carrier[edit]
Main article: Common carrier
Historical precedent[edit]
72
transmitted in the order of their reception, excepting that the dispatches of the
government shall have priority ...
—An act to facilitate communication between the Atlantic and Pacific states by
electric telegraph, June 16, 1860.[16]
In 1888 Almon Brown Strowger, suspecting his loss of business was caused by a
nepotistic telephone operator redirecting his business calls to a competitor,
invented an electromechanical-based automatic telephone exchange that
effectively removed human interference of telephone calls.[15]
Degrees of enforcement[edit]
Full neutrality[edit]
Chile became the first country in the world to pass net neutrality legislation in
2010.[17] The laws adopted there prohibit organizations such
as Facebook and Wikipedia from subsidizing mobile data usage of
consumers.[18] The adoption of net neutrality law usually includes allowance for
discrimination in limited conditions, such as preventing spam, malware, or illegal
content. The law in Chile allows exceptions for ensuring privacy and
security.[17] The law in the Netherlands, allows exceptions for congestion, security,
spam, or legal reasons.
73
Only allow discrimination based on type of data[edit]
Eric Schmidt
Columbia University Law School professor Tim Wu observed the Internet is not
neutral in terms of its impact on applications having different requirements. It is
more beneficial for data applications than for applications that require
low latencyand low jitter, such as voice and real-time video. He explains that
looking at the full spectrum of applications, including both those that are sensitive
to network latency and those that are not, the IP suite isn't actually neutral. He
has proposed regulations on Internet access networks that define net neutrality
as equal treatment among similar applications, rather than neutral transmissions
regardless of applications. He proposes allowing broadband operators to make
reasonable trade-offs between the requirements of different applications, while
regulators carefully scrutinize network operator behavior where local networks
interconnect.[21] However, it is important to ensure that these trade-offs among
different applications be done transparently so that the public will have input on
important policy decisions.[22] This is especially important as the broadband
operators often provide competing services—e.g., cable TV, telephony—that
might differentially benefit when the need to manage applications could be
invoked to disadvantage other competitors.
The proposal of Google and Verizon would allow discrimination based on the
type of data, but would prohibit ISPs from targeting individual organizations or
websites:[23] Google CEO Eric Schmidt explains Google's definition of Net
neutrality as follows: if the data in question is video, for example, then there is no
discrimination between one purveyor's data versus that of another. However,
discrimination between different types of data is allowed, so that voice data could
be given higher priority than video data. On this, both Verizon and Google are
agreed.[24]
74
Some opponents of net neutrality argue that under the ISP market competition,
paid-prioritization of bandwidth can induce optimal user welfare. [25] Although net
neutrality might protect user welfare when the market lacks competition, they
argue that a better alternative could be to introduce a neutral public option to
incentivize competition, rather than enforcing existing ISPs to be neutral.
Some ISPs, such as Comcast, oppose blocking or throttling, but have argued
that they are allowed to charge websites for faster data delivery.[26] AT&T has
made a broad commitment to net neutrality, but has also argued for their right to
offer websites paid prioritization[27][28][29] and in favor of its current sponsored data
agreements.[30]
No direct enforcement[edit]
While many countries lack legislation directly addressing net neutrality, net
neutrality can sometimes be enforced based on other laws, such as those
preventing anti-competitive practices. This is currently the approach of the US
FCC, which justifies their enforcement based on compliance with "commercially
reasonable" practices.[31]
In the United States, author Andy Kessler argued in The Weekly Standard that,
though network neutrality is desirable, the threat of eminent domain against the
telecommunication companies, instead of new legislation, is the best approach. [32]
In 2011, Aparna Watal of Attomic Labs said that there had been few violations of
net neutrality. She argues that transparency, threat of public backlash, and the
FCC's current authority was enough to solve the issues of net neutrality, claiming
that the threat of consumers switching providers and the high cost of maintaining
a non-neutral network will deter bad practices.[33]
The Wall Street Journal has written about the government's responsibility being
more along the lines of making sure consumers have the ability to find another
Internet provider if they are not satisfied with their service, as opposed to
determining how Internet providers should go about managing their networks.[34]
European Union[edit]
75
EU parliament[edit]
On 19 December 2009, the so-called "Telecoms Package" came into force and
EU member states were required to implement the Directive by May
2011.[38][39] According to the European Commission the new transparency
requirements in the Telecoms Package would mean that "consumers will be
76
informed—even before signing a contract—about the nature of the service to
which they are subscribing, including traffic management techniques and their
impact on service quality, as well as any other limitations (such as bandwidth
caps or available connection speed)".[39] Regulation (EC) No 1211/2009 of the
European Parliament and of the Council of 25 November 2009 established the
Body of European Regulators for Electronic Communications (BEREC) and the
Office[40] Body of European Regulators of Electronic Communications. BEREC's
main purpose is to promote cooperation between national regulatory authorities,
ensuring a consistent application of the EU regulatory framework for electronic
communications.[41]
By individual country[edit]
See also: Net neutrality in the Netherlands
Since March 2009 in Italy, there is a bill called: Proposta di legge dei senatori
Vincenzo VITA (PD) e Luigi Vimercati (PD)"Neutralita' Delle Reti, Free Software
E Societa' Dell'informazione".[42] Senator Vimercati in an interview said that he
wants "to do something for the network neutrality" and that he was inspired by
Lawrence Lessig, Professor at the Stanford Law School. Vimercati said that the
topic is very hard, but in the article 3 there is a reference to the concept of
neutrality regard the contents. It is also a problem of transparency and for the
mobile connections: we need the minimum bandwidth to guarantee the service.
We need some principle to defend the consumers. It's important that the
consumer has been informed if he could not access all the Internet. The bill
refuses all the discrimination: related by the content, the service and the device.
The bill is generally about Internet ("a statute for the Internet") and treat different
topics like network neutrality, free software, giving an Internet access to
everyone.
In June 2011, the majority of the Dutch lower house voted for new net neutrality
laws which prohibits the blocking of Internet services, usage of deep packet
inspection to track customer behaviour and otherwise filtering or manipulating
77
network traffic.[43] The legislation applies to any telecommunications provider and
was formally ratified by the Dutch senate on 8 May 2012.[44][45]
In Belgium, net neutrality was discussed in the parliament in June 2011. Three
parties (CD&V, N-VA & PS) jointly proposed a text to introduce the concept of net
neutrality in the telecom law.[46]
In France, on 12 April 2011, the Commission for economic affairs of the French
parliament approved the report of MP Laure de La Raudière (UMP). The report
contains[47] 9 proposals. Propositions n°1 & 2 act on net neutrality.
Israel[edit]
There is ongoing legal and political wrangling in the U.S. regarding net neutrality.
The United States Federal Communications Commission is in charge of
regulating Internet service providers' conduct in the US, though the extent of its
jurisdiction is subject to ongoing legal disputes.[50]
78
regulations, facilities or services".[51] On 21 December 2010, these changes were
put into effect by the FCC Open Internet Order 2010, which banned cable
television and telephone service providers from preventing access to competitors
or certain web sites such as Netflix. The rules also include a more limited set of
obligations for wireless providers. The rules would not keep ISPs from charging
more for faster access. Republicans in Congress threatened to reverse the rules
through legislation.[52]
On 23 September 2011, the FCC released its final rules for Preserving a Free
and Open Internet. These rules state that providers must have transparency of
network management practices, not block lawful content, nor unreasonably
discriminate in transmitting lawful network traffic.[53] These rules are effective 20
November 2011.
79
pay a higher price. Their customers would have preferential access.[4][5][57][58] On 15
May the FCC launched a public comment period on how FCC rulemaking could
best protect and promote an open Internet,[59] garnering over one million
responses—the most the FCC had ever received for rulemaking.[60]
The new proposed rules have received heavy criticisms, with many claiming they
are ruining the internet. Opponents of the rules declared September 10, 2014 to
be the "Internet Slowdown". On it, participating websites were purposely slowed
down to show what they feel would happen if the new rules took effect. Websites
that participated in the Internet Slowdown
include: Netflix, Reddit, Tumblr, Twitter, Vimeo and Kickstarter.[61][62][63][64][65][66][67]
Russian Federation[edit]
80
South America[edit]
In 2014, the Brazilian government passed a law which expressly upholds net
neutrality, "guaranteeing equal access to the Internet and protecting the privacy
of its users in the wake of U.S. spying revelations".[77]
East Asia[edit]
Net neutrality in the common carrier sense has been instantiated into law in
many countries, including Japan.[78] In Japan, the nation's largest phone
company, Nippon Telegraph and Telephone, operates a service called Flet's
Square over theirFTTH high speed Internet connections. In South Korea, VoIP is
blocked on high-speed FTTH networks except where the network operator is the
service provider.[79]
81
online, as in other mass media, are still significantly stifled. Empirical studies
have found that China has one of the most sophisticated content-filtering Internet
regimes in the world. The Chinese government employs increasingly
sophisticated methods to limit content online, including a combination of legal
regulation, surveillance, and punishment to promote self-censorship, as well as
technical controls."[80]
George Mason University fellow Adam Thierer has argued that "any government
agency or process big enough to control a major sector of our economy will be
prone to influence by those most affected by it", and that consequently "for all the
talk we hear about how the FCC's move to impose Net Neutrality regulation is
about 'putting consumers first' or 'preserving Net freedom and openness,' it's
difficult to ignore the small armies of special interests who stand ready to exploit
this new regulatory regime the same way they did telecom and broadcast
industry regulation during decades past."[81]
Grant Babcock, in the libertarian magazine Reason, wrote in 2014 that U.S.
government oversight of ISPs could allow government agencies like the NSA to
pressure ISPs into handing over private communication data on their users. He
noted that there was a history of U.S. governmental abuse of regulation,
including the Federal Reserve forcing some banks in 2008 to accept Troubled
Asset Relief Program funding by threatening to use their regulatory powers
against non-compliant banks.[82]
82
over company networks is a violation of the ISPs constitutional rights, specifically
concerning the First Amendment and Fifth Amendment in a court
case challenging theOpen Internet Order.[83]
Verizon challenged the Open Internet Order on several grounds, including that
the Commission lacked affirmative statutory authority to promulgate the rules,
that its decision to impose the rules was arbitrary and capricious, and that the
rules contravened statutory provisions prohibiting the Commission from treating
broadband providers as common carriers.[84]
Some pieces of legislation, like The Internet Freedom Preservation Act of 2009,
attempt to mitigate these concerns by excluding reasonable network
management from regulation.[86]
(WCAG)2.0
83
The WCAG documents explain how to make web content more accessible to
people with disabilities. Web "content" generally refers to the information
in a web page or web application, including:
Related resources are intended to meet the needs of many different people,
including policy makers, managers, researchers, and others.
For a short summary of the WCAG 2.0 guidelines, see WCAG 2.0 at a
Glance.
84
To learn about web accessibility principles and guidelines, see Accessibility
Principles.
For more details on how these document are related and how they are
linked, see The WCAG 2.0 Documents.
85
WAI is planning additional material to help web developers develop
accessible web content that conforms to WCAG 2.0. In 2012 we plan to
develop "Application Notes" (working title) to provide guidance for specific
topics, such as images, links, or tables. For example, an Application Note on
forms would start with simple examples and include the WCAG 2.0 success
criteria, techniques, and strategies for developing accessible forms.
Benefits of WCAG 2.0 as an ISO standard are summarized in ISO in the FAQ.
More information on W3C and the ISO process is in the W3C PAS FAQ.
86
WAI updates Techniques for WCAG 2.0 and Understanding WCAG 2.0
periodically. We welcome commentsand submission of new techniques.
Opportunities for contributing to WCAG and other WAI work are introduced
in Participating in WAI.
MODULE IV
87
official identity card but a Social Security number that has long served
as a de facto identification number. Taxes are collected on the basis of
each citizen’s Social Security number, and many private institutions use
the number to keep track of their employees, students, and patients.
Access to an individual’s Social Security number affords the opportunity
to gather all the documents related to that person’s citizenship—i.e., to
steal his identity. Even stolen credit card information can be used to
reconstruct an individual’s identity. When criminals steal a firm’s credit
card records, they produce two distinct effects. First, they make off with
digital information about individuals that is useful in many ways. For
example, they might use the credit card information to run up huge bills,
forcing the credit card firms to suffer large losses, or they might sell the
information to others who can use it in a similar fashion. Second, they
might use individual credit card names and numbers to create new
identities for other criminals. For example, a criminal might contact the
issuing bank of a stolen credit card and change the mailing address on
the account. Next, the criminal may get a passport or driver’s license
with his own picture but with the victim’s name. With a driver’s license,
the criminal can easily acquire a new Social Security card; it is then
possible to open bank accounts and receive loans—all with the victim’s
credit record and background. The original cardholder might remain
unaware of this until the debt is so great that the bank contacts the
account holder. Only then does the identity theft become visible.
Although identity theft takes places in many countries, researchers and
law-enforcement officials are plagued by a lack of information and
statistics about the crime worldwide. Interpol, the international policing
agency, has not added any type of cybercrime, including identity theft,
88
to its annual crime statistics. Cybercrime is clearly, however, an
international problem.
In 2003 the U.S. Federal Trade Commission (FTC) released the first
national survey on identity theft; according to the report, in the previous
year 3.3 million Americans had their identities fraudulently used to open
bank, credit card, or utility accounts, with losses of $32.9 billion to
businesses and $3.8 billion to individuals. The report also stated that
another 6.6 million Americans were victimized by account theft, such as
use of stolen credit cards and automatic teller machine (ATM) cards,
with losses of $14 billion to businesses and $1.1 billion to individuals.
The annual FTC reports show that while the total number of identity
theft victims in the United States has declined by about 500,000 in each
subsequent year, the average loss incurred by individuals and
businesses per incident has grown enough to keep the total losses near
$50 billion every year.
Internet fraud
Schemes to defraud consumers abound on the Internet. Among the
most famous is theNigerian, or “419,” scam; the number is a reference
to the section of Nigerian law that the scam violates. Although this con
has been used with both fax and traditional mail, it has been given new
life by the Internet. In the scheme, an individual receives an e-
mailasserting that the sender requires help in transferring a large sum of
money out of Nigeria or another distant country. Usually, this money is
in the form of an asset that is going to be sold, such as oil, or a large
amount of cash that requires “laundering” to conceal its source; the
variations are endless, and new specifics are constantly being
developed. The message asks the recipient to cover some cost of
89
moving the funds out of the country in return for receiving a much larger
sum of money in the near future. Should the recipient respond with a
check or money order, he is told that complications have developed;
more money is required. Over time, victims can lose thousands of
dollars that are utterly unrecoverable.
In 2002 the newly formed U.S. Internet Crime Complaint Center
reported that more than $54 million dollars had been lost through a
variety of fraud schemes; this represented a threefold increase over
estimated losses of $17 million in 2001. The annual losses grew in
subsequent years, reaching $125 million in 2003, about $200 million in
2006, and close to $250 million in 2008. In the United States, the largest
source of fraud continues to be online auctions. In many cases,
individuals put products up for sale on Internet auction sites, demand
money before delivery, and never fulfill their obligations to the
consumer. Such scams account for about half of the fraud cases each
year. Unlike identity theft, where the theft occurs without the victim’s
knowledge, these more traditional forms of fraud occur in plain sight.
The victim willingly provides private information that enables the crime;
hence, these are transactional crimes. Few people would believe
someone who walked up to them on the street and promised them easy
riches; however, receiving an unsolicited e-mail or visiting a random
Web page is sufficiently different that many people easily open their
wallets. Despite a vast amount of consumer education, Internet fraud
remains a growth industry for criminals and prosecutors. Europe and the
United States are far from the only sites of cybercrime. South Korea is
among the most wired countries in the world, and its cybercrime fraud
statistics are growing at an alarming rate. Japan has also experienced a
rapid growth in similar crimes.
90
II) INTERNATIONAL LAW GOVERNING
REGULATIONS
However, in 2014, the United States was added to Reporters Without Borders's (RWB's) list
of "Enemies of the Internet", a category of countries with the highest level of Internet
censorship and surveillance. RWB stated that the U.S. "… has undermined confidence in the
Internet and its own standards of security" and that "U.S. surveillance practices and
decryption activities are a direct threat to investigative journalists, especially those who work
with sensitive sources for whom confidentiality is paramount and who are already under
pressure."[1]
Overview[edit]
The strong protections for freedom of speech and expression against federal, state, and local
government censorship are rooted in the First Amendment of the United States Constitution.
These protections extend to the Internet and as a result very little government mandated
technical filtering occurs in the U.S. Nevertheless, the Internet in the United States is highly
91
regulated, supported by a complex set of legally binding and privately mediated
mechanisms.[2]
After a decade and half of ongoing contentious debate over content regulation, the country is
still very far from reaching political consensus on the acceptable limits of free speech and the
best means of protecting minors and policing illegal activity on the Internet. Gambling, cyber
security, and dangers to children who frequent social networking sites are important ongoing
debates. Significant public resistance to proposed content restriction policies have prevented
the more extreme measures used in some other countries from taking hold in the U.S.[2]
Public dialogue, legislative debate, and judicial review have produced filtering strategies in
the United States that are different from those found in most of the rest of the world. Many
government-mandated attempts to regulate content have been barred on First Amendment
grounds, often after lengthy legal battles.[3] However, the government has been able to exert
pressure indirectly where it cannot directly censor. With the exception of child pornography,
content restrictions tend to rely more on the removal of content than blocking; most often
these controls rely upon the involvement of private parties, backed by state encouragement
or the threat of legal action.[4] In contrast to much of the rest of the world, where ISPs are
subject to state mandates, most content regulation in the United States occurs at the private
or voluntary level.[2]
The first wave of regulatory actions in the 1990s in the United States came about in
response to the profusion of sexually explicit material on the Internet within easy reach of
minors. Since that time, several legislative attempts at creating a mandatory system of
content controls in the United States have failed to produce a comprehensive solution for
those pushing for tighter controls. At the same time, the legislative attempts to control the
distribution of socially objectionable material on the Internet in the United States have given
rise to a robust system that limits liability over content for Internet intermediaries such as
Internet service providers (ISPs) and content hosting companies.[2]
Proponents of protecting intellectual property online in the United States have been much
more successful, producing a system to remove infringing materials that many feel errs on
the side of inhibiting legally protected speech.[2][5] The US practices forceful seizures of
domains and computers, at times without notification, causing the websites to be unable to
continue operating. Some high-profile cases are Napster, Wikileaks, PirateBay, and
MegaUpload.[citation needed]
92
Federal laws[edit]
With a few exceptions, the free speech provisions of the First Amendment bar federal, state,
and local governments from directly censoring the Internet. The primary exception has to do
with obscenity, including child pornography, which does not enjoy First Amendment
protection.[6]
In 1996, the United States enacted the Communications Decency Act (CDA), which
attempted to regulate both indecency(when available to children) and obscenity
in cyberspace.[7] In 1997, in the case of Reno v. ACLU, the United States Supreme
Court found the anti-indecency provisions of the Act unconstitutional.[8] Writing for the Court,
Justice John Paul Stevens held that "the CDA places an unacceptably heavy burden on
protected speech".[9]
Section 230[10] is a separate portion of the CDA that remains in effect. Section 230 says that
operators of Internet services are not legally liable for the words of third parties who use their
services and also protects ISPs from liability for good faith voluntary actions taken to restrict
access to certain offensive materials[11] or giving others the technical means to restrict access
to that material.
In 1998, the United States enacted the Child Online Protection Act[12] (COPA) to restrict
access by minors to any material defined as harmful to such minors on the Internet. The law
was found to be unconstitutional because it would hinder protected speech among adults. It
never took effect, as three separate rounds of litigation led to a permanent injunction against
the law in 2009.[13][14][15]
Signed into law in 1998, the Digital Millennium Copyright Act (DMCA, 17 U.S.C. § 1201)
criminalizes the discussion and dissemination of technology that could be used to circumvent
copyright protection mechanisms[5] and makes it easier to act against alleged copyright
infringement on the Internet.[16] The Online Copyright Infringement Liability Limitation
Act(OCILLA) is included as Title II of the DMCA[17] and limits the liability of the on-line service
providers for copyright infringement by their users.[18]
93
The Children's Online Privacy Protection Act (COPPA) went into effect on 21 April 2000.[19] It
applies to the online collection of personal information by persons or entities under U.S.
jurisdiction from children under 13 years of age and details what a website operator must
include in a privacy policy, when and how to seek verifiable consent from a parent or
guardian, and what responsibilities an operator has to protect children's privacy and safety
online including restrictions on the marketing to those under 13.[20] While children under 13
can legally give out personal information with their parents' permission, many websites
disallow underage children from using their services altogether due to the amount of
paperwork and cash involved for the compliance. Similarly, public perception claims that the
law was intended to protect children frompedophiles than unintended marketing practices.
On December 21, 2000 the Children's Internet Protection Act (CIPA)[21] was signed into law.
CIPA requires K-12 schools and libraries receiving federal Universal Service Fund (E-rate)
discounts or LSTA grants for Internet access or internal connections to:[22]
adopt and implement an Internet safety policy addressing: (a) access by minors to
inappropriate matter on the Internet; (b) the safety and security of minors when
using electronic mail, chat rooms, and other forms of direct electronic communications;
(c) unauthorized access, including so-called “hacking,” and other unlawful activities by
minors online; (d) unauthorized disclosure, use, and dissemination of personal
information regarding minors; and (e) measures restricting minors’ access to materials
harmful to them;
install internet filters or blocking software that prevents access to pictures that are:
(a) obscene, (b) child pornography, or (c) harmful to minors (for computers that are
accessed by minors);
to allow the filtering or blocking to be disabled upon the request of an adult; and
adopt and enforce a policy to monitor the online activities of minors.
94
In March 2008, the New York Times reported that a blacklist published by the Office of
Foreign Assets Control (OFAC), an agency established under the Trading with the Enemy
Act 1917 and other federal legislation, included a number of websites, so that U.S.
companies are prohibited from doing business with those websites and must freeze their
assets. The blacklist has the effect that domain name registrars based in the U.S. must block
those websites. According to the New York Times, eNom, a private domain name registrar
and Web hosting company operating in the U.S., disables domain names which appear on
the blacklist.[23] It describes eNom’s disabling of a European travel agent’s Web sites
advertising travel to Cuba, which appeared on the list[24] published by OFAC. According to
the report, the U.S. government claimed that eNom was "legally required" to block the
websites under U.S. law, even though the websites were not hosted in the U.S., were not
targeted at U.S. persons and were legal under foreign law.
The Deleting Online Predators Act of 2006 was introduced, but did not become law.[25] Two
similar bills were introduced in 2007, but neither became law.[26][27]
The proposed legislation would have required schools, some businesses, and libraries to
block minors' access to social networking websites. The bill was controversial because,
according to its critics, it would limit access to a wide range of websites, including many with
harmless and educational material.
The Protecting Cyberspace as a National Asset Act was introduced in 2010, but did not
become law.[28]
The proposed Act caused controversy for what critics perceived as its authorization for the
U.S. President to apply a full block of the Internet in the U.S.[29]
A new bill, the Executive Cyberspace Coordination Act of 2011, was under consideration by
the U.S. Congress in 2011.[30]The new bill addresses many of the same issues as, but takes
quite a different approach from the Protecting Cyberspace as a National Asset Act.
The Combating Online Infringement and Counterfeits Act was introduced in September
2010, but did not become law.[31]
95
The proposed Act would have allowed the U.S. Attorney General to bring an in rem action
against an infringing domain name in United States District Court, and seek an order
requesting injunctive relief. If granted, such an order would compel the registrar of the
domain name in question to suspend operation of, and may lock, the domain name.[31]
The U.S. Justice Department would maintain two publicly available lists of domain
names.[31] The first list would contain domain names against which the Attorney General has
obtained injunctions. The second list would contain domainsalleged by the Justice
Department to be infringing, but against which no action had been taken. Any service
provider who willingly took steps to block access to sites on this second list would immune
from prosecution under the bill.
The Stop Online Piracy Act (SOPA), also known as H.R. 3261, is a bill that was introduced in
the United States House of Representatives on October 26, 2011, by Representative Lamar
Smith (R-TX) and a bipartisan group of 12 initial co-sponsors. The originally proposed bill
would allow the U.S. Department of Justice, as well as copyright holders, to seek court
orders against websites accused of enabling or facilitating copyright infringement. Depending
on who requests the court orders, the actions could include barring online advertising
networks and payment facilitators such as PayPal from doing business with the allegedly
infringing website, barring search engines from linking to such sites, and requiring Internet
service providers to block access to such sites. Many have argued that since ISP's would be
required to block access to certain websites that this is censorship. On 18 January 2012, the
English Wikipedia shut down for 24 hours beginning at 5:00 UTC (12:00 EST) to protest
SOPA and PIPA. In the wake of this and many other online protests, Rep. Lamar Smith has
stated, "The House Judiciary Committee will postpone consideration of the legislation until
there is wider agreement on a solution".[32]
Senator Ron Wyden, Democrat of Oregon and a key opponent of the bills, said lawmakers
had collected more than 14 million names — more than 10 million of them voters — who
contacted them to protest the once-obscure legislation.[32]
The Protect Intellectual Property Act (Preventing Real Online Threats to Economic Creativity
and Theft of Intellectual Property Act, or PIPA) is a proposed law with the stated goal of
giving the US government and copyright holders additional tools to curb access to "rogue
websites dedicated to infringing or counterfeit goods", especially those registered outside the
96
U.S.[33] The bill was introduced on May 12, 2011, by Senator Patrick Leahy (D-VT)[34] and 11
bipartisan co-sponsors. PIPA is a re-write of the Combating Online Infringement and
Counterfeits Act (COICA),[35] which failed to pass in 2010. In the wake of online protests held
on January 18, 2012, Senate Majority Leader Harry Reid announced on Friday January 20
that a vote on the bill would be postponed until issues raised about the bill were resolved.
Reid urged Sen. Patrick Leahy (D-Vermont), the chief sponsor of PIPA, to “continue
engaging with all stakeholders to forge a balance between protecting Americans’ intellectual
property, and maintaining openness and innovation on the internet.”[32][36]
The Cyber Intelligence Sharing and Protection Act (CISPA) is a proposed lawintroduced in
November 2011, with the stated goal of giving the U.S. government additional options and
resources to ensure the security of networks against attacks.[37] It was passed by the U.S.
House of Representatives in April 2012, but was not passed by the U.S. Senate. In February
2013 the bill was reintroduced in the House.[38]
CISPA is supported by several trade groups containing more than eight hundred private
companies, including the Business Software Alliance, CTIA – The Wireless
Association, Information Technology Industry Council, Internet Security Alliance,National
Cable & Telecommunications Association, National Defense Industrial
Association, TechAmerica and United States Chamber of Commerce, in addition to individual
major telecommunications and information technology companies
like AT&T, Facebook, IBM, Intel, Oracle Corporation, Symantec, and Verizon.[39][40]
Reporters Without Borders expressed concern that in the name of the war on cyber crime, it
would allow the government and private companies to deploy draconian measures to
monitor, even censor, the Web.[41] Other organizations that oppose the bill include
the Constitution Project, American Civil Liberties Union, Electronic Frontier
Foundation, Center for Democracy and Technology, Fight for the Future, Free
Press, Sunlight Foundation, and TechFreedom. Google has not taken a public position on
the bill, but lobbied for it.[42]
In January 2015 details from the Sony Pictures Entertainment hack revealed the MPAA's
lobbying of the United States International Trade Commission to mandate US ISPs either at
the internet transit level or consumer level internet service provider, implement IP address
blocking pirate websites as well as linking websites.[43]
97
State laws[edit]
According to the National Conference of State Legislatures, in September 2013 twenty-six
states have laws that apply to Internet use at publicly funded schools or libraries:[44]
The majority of these states simply require school boards or public libraries to adopt Internet
use policies to prevent minors from gaining access to sexually explicit, obscene or harmful
materials. However, some states also require publicly funded institutions to install filtering
software on library terminals or school computers.
The twelve states that require Internet filtering in schools and/or libraries to protect minors
are: Arizona, Arkansas, Colorado, Idaho, Michigan, Minnesota, Missouri, Ohio,
Pennsylvania, South Dakota, Utah, and Virginia.[44]
The thirteen states that require schools and/or libraries to adopt policies to protect minors
include: California, Delaware, Georgia, Indiana, Iowa, Kentucky, Louisiana, Maryland,
Massachusetts, New Hampshire, New York, South Carolina, and Tennessee. Florida law
"encourages public libraries to adopt an Internet safety education program, including the
implementation of a computer-based educational program."[44]
And five states require Internet service providers to make a product or service available to
subscribers to control use of the Internet. They are: Louisiana, Maryland, Nevada, Texas,
and Utah.[44]
In July 2011 Missouri lawmakers passed the Amy Hestir Student Protection Act which
included a provision that barred K-12 teachers from using websites that allow "exclusive
access" in communications with current students or former students who are 18 or younger,
such as occurs with private messages on sites such as Facebook.[45] A circuit court order
issued before the law went into effect blocked the provision because "the breadth of the
prohibition is staggering" and the law "would have a chilling effect" on free-speech rights
guaranteed under the U.S. Constitution.[46] In September the legislature replaced the
controversial provision with a requirement that local school districts develop their own
policies on the use of electronic communication between employees and students.[47][48]
Censorship by institutions[edit]
See also: Corporate censorship
The constitutional and other legal protections that prohibit or limit government censorship of
the Internet do not generally apply to private corporations. Corporations may voluntarily
98
choose to limit the content they make available or allow others to make available on the
Internet.[4] Or corporations may be encouraged by government pressure or required by law
orcourt order to remove or limit Internet access to content that is judged to
be obscene (including child pornography), harmful to children, defamatory, pose a threat
to national security, promote illegal activities such as gambling, prostitution, theft
of intellectual property, hate speech, and inciting violence.[2][3]
Public and private institutions that provide Internet access for their employees, customers,
students, or members will sometimes limit this access in an attempt to ensure it is used only
for the purposes of the organization. This can includecontent-control software to limit access
to entertainment content in business and educational settings and limiting high-
bandwidth services in settings where bandwidth is at a premium. Some institutions also block
outside e-mail services as a precaution, usually initiated out of concerns for local network
security or concerns that e-mail might be used intentionally or unintentionally to allow trade
secrets or other confidential information to escape.
K-12 schools and libraries that accept funds from the federal E-rate program or Library
Services and Technology Actgrants for Internet access or internal connections are required
by Children's Internet Protection Act to have an "Internet safety policy and technology
protection measures in place".[22]
Many K-12 school districts in the United States use Internet filters to block material deemed
inappropriate for the school setting.[49][50] The federal government leaves decisions about
what to filter or block to local authorities. However, many question this approach, feeling that
such decisions should be made by a student's parents or guardian. Some of the fears
associated with Internet filtering in schools include: the risk of supporting a predominant
ideology, that views held by filter manufacturers are being imposed on students, over
blocking of useful information, and under blocking of harmful information.[51] A 2003 study
"found that blocking software overblocked state-mandated curriculum topics extensively–for
every web page correctly blocked as advertised, one or more was blocked incorrectly."[52]
Some libraries may also block access to certain web pages, including pornography,
advertising, chat, gaming, social networking, and online forum sites,[53] but there is a long and
important tradition among librarians against censorship[54]and the use of filtering and blocking
software in libraries remains very controversial.[55]
99
In 2007, Verizon attempted to block the abortion rights group NARAL Pro-Choice
America from using their text messaging services to speak to their supporters. Verizon
claims it was in order to enforce a policy that doesn’t allow their customers to use their
service to communicate “controversial” or “unsavory” messages.[56] Comcast, AT&T and
many other ISP's have also been accused of regulating internet traffic and bandwidth.
eNom, a private domain name registrar and Web hosting company operating in the U.S.,
disables domain names which appear on a U.S. Treasury Department blacklist.[23][24]
Military[edit]
The Department of Defense prohibits its personnel from accessing certain IP addresses from
DoD computers.[57] The US military's filtering policy is laid out in a report to Congress entitled
"Department of Defense Personnel Access to the Internet".[58]
The Monterey Herald reported on June 27, 2013 that the United States Army bars its
personnel from accessing parts of the The Guardian's website after whistleblower Edward
Snowden's revelations about the PRISM global surveillance program and the National
Security Agency (NSA) were published there.[59][60] The entire Guardian website is blocked for
personnel stationed throughout Afghanistan, the Middle East, and South Asia, as well as
personnel stationed at U.S. Central Command headquarters in Florida.[61]
WikiLeaks[edit]
Main article: WikiLeaks
In February 2008, the Bank Julius Baer vs. WikiLeaks lawsuit prompted the United States
District Court for the Northern District of California to issue a permanent injunction against
the website WikiLeaks' domain name registrar. The result was that WikiLeaks could not be
accessed through its web address. This elicited accusations of censorship and resulted in
theElectronic Frontier Foundation stepping up to defend WikiLeaks. After a later hearing, the
injunction was lifted.[62]
In December 2010, the White House Office of Management and Budget, the U.S. Library of
Congress, the U.S. Air Force, and other government agencies began advising their
personnel not to read classified documents available from WikiLeaks and some blocked
access to WikiLeaks and other news organizations' websites.[63][64] This action was intended
to reduce the exposure of personnel to classified information released by WikiLeaks and
published by those news organizations.
100
On December 1, 2010 Amazon.com cut off WikiLeaks 24 hours after being contacted by the
staff of Joe Lieberman, Chairman of the U.S. Senate Committee on Homeland Security.[65] In
a statement Lieberman said:[66]
[Amazon's] decision to cut off WikiLeaks now is the right decision and should set the
standard for other companies WikiLeaks is using to distribute its illegally seized material. I
call on any other company or organization that is hosting WikiLeaks to immediately terminate
its relationship with them.
Constitutional lawyers say that this is not a first amendment issue because Amazon, as a
private company, is free to make its own decisions. Kevin Bankston, a lawyer with
the Electronic Frontier Foundation, agreed that this is not a violation of the first amendment,
but said it was nevertheless disappointing. "This certainly implicates first amendment rights
to the extent that web hosts may, based on direct or informal pressure, limit the materials the
American public has a first amendment right to access".[67]
The New York Times reported on 14 December[68] that the U.S. Air Force bars its personnel
from access to news sites (such as those of The New York Times and The Guardian, Le
Monde, El País, and Der Spiegel) that publish leaked cables.
Individual websites[edit]
Restriction of hate speech and harassment on social media is the subject of debate in the
US. For example, two perspectives include that online hate speech should be removed
because it causes serious intimidation and harm,[70] and that it shouldn't be removed because
it's "better to know that there are bigots among us" than to have an inaccurate picture of the
world.[71]
101
The National Religious Broadcasters, an organization that represents American Christian
television and radio broadcasters, and the American Center for Law and Justice, a
conservative Christian, pro-life group, conducted a study that concluded that some social
media sites are "actively censoring" religious content that expresses Christian perspectives,
because they forbid "hate speech" in the form of anti-homosexual viewpoints.[7
Online Intermediaries
examining the rapidly changing landscape of online intermediary governance at the intersection
of law, technology, norms, and markets. In concert with other research projects, it seeks to
develop criteria, comparative methods, and a shared data repository, and to compile insights
and lessons learned across diverse communities of knowledge aimed at informing and improving
The first research output as part of the larger initiative consists of a case study series exploring
online intermediary liability frameworks and issues in Brazil, the European Union, India, South
Korea, the United States, Thailand, Turkey, and Vietnam, and a synthesis paper that seeks to
distill key observations and provide a high-level analysis of some of the structural elements that
characterize varying governance frameworks, with a focus on intermediary liability regimes and
their evolution. This research builds upon a series of in-person working meetings, including a
workshop hosted by the Radcliffe Institute for Advanced Study at Harvard University, where
the draft country reports and key elements of the synthesis were discussed. Throughout the
process, learning calls supported the sharing of research and methods among the collaborators.
102
Governance of Online Intermediaries: New
Study by NoC
The Global Network of Internet and Society Research Centers (NoC) and the Berkman
Center for Internet & Society at Harvard University have published a new report which
examines the rapidly changing landscape of online intermediary liability at the
intersection of law, technology, norms, and markets, and is aimed at informing and
improving Internet policy-making globally.
The full text of the case studies and the synthesis paper are available on the Publixphere
website, where the authors welcome comments and feedback. The series and individual
papers are also available for download from SSRN.
103
Governance of Online Intermediaries: New
Study by NoC
The Global Network of Internet and Society Research Centers (NoC) and the Berkman
Center for Internet & Society at Harvard University have published a new report which
examines the rapidly changing landscape of online intermediary liability at the
intersection of law, technology, norms, and markets, and is aimed at informing and
improving Internet policy-making globally.
The full text of the case studies and the synthesis paper are available on the Publixphere
website, where the authors welcome comments and feedback. The series and individual
papers are also available for download from SSRN.
104
IV) SOCIAL NETWORKING SITES VIS –
A- VIS HUMAN RIGHTS
The Social Network for Justice and Human Rights (Rede Social de Justiça e Defesa dos
Direitos Humanos or, Rede Social) is a human rights organization that supports the work of
social movements in Brazil through legal assistance, trainings, reporting and media
campaigns on abuses of human rights.
Rede exposes the inhuman and illegal conditions faced by many workers in Brazil’s lucrative
sugar cane and ethanol industry (including documenting cases of slavery and of laborers
being literally worked to death) and have been courageous advocates for the rights of
activists who are being persecuted for challenging these unjust living and working conditions.
Rede Social provides training and legal assistance to members of social movements and
promotes communication and networking activities at the national and international level.
Rede Social works with a variety of civil society organizations, including the Landless
Workers Movement (MST), Pastoral Land Commission, Movement of People Displace by
Dams, The Movement of Quilombolas (rural communities of African descendants) and the
Organization of Popular Movements to combat against human rights violations such as
asassinations, pre-emptive arrests, wrongful incarcerations, and death threats and other
forms of intimidation toward leaders and members of social movements.
Rede prepares and submits human rights cases and petitions nationally and internationally;
trains community members as human rights monitors and researchers; conducts popular
research; and produces educational materials, books, and reports; and coordinates the
105
organizations within the network. Rede Social also produces an Annual Report of the Human
Rights in Brazil, with the goal of pressing, informing the public, fighting against impunity in
the rural areas.
Rede’s publications and studies contribute to the coordination and advocacy agendas of
social movements and other Grassroots’ partners like the MST and the Association of Rural
Workers (ATC) in Nicaragua.
EFF!is!an!international!civil!society!nonDgovernmental!organization!with!more!than!
14,000! members! worldwide,! dedicated! to! the! protection! of! citizens’! online! civil!
rights,!privacy,!and!freedom!of!expression.!EFF!engages!in!strategic!litigation!in!the!
United! States! and!works!in! a! range! of!international! and! national! policy! venues!
to! promote!balanced!laws! that!protect!human!rights,! foster!innovation!and!empower!
consumers.! EFF! is! located! in! San! Francisco,! California! and! has! members! in! 67!
countries!throughout!the!world. EFF!commends! the!Council! of!Europe! for!working!
to!protect!and!promote! respect!
for!human!rights!with!regards!to!social!networking!services.!We!agree!with!many!of!
the! basic! findings! of! the! recommendations! and! guidelines which! note! that! social!
networking! services! are! key! tools! for! “receiving! and! imparting! information.”!
We! concur! with! the! statements! that! individuals! “have! to! be! sure! that! their!
rights! to! private! life! will! be! protected! when! they! use! social! networking!
services! and! that! their!personal!data!will!not!be!misused,”!and!
that!social!network!providers!should! respect! “the! right! to! freedom! of! expression,!
the! right! to! privacy! and! secrecy! of!
correspondence.”!We!also!recognize!that!governments!might!take!narrowly!tailored! 2
exceptional!actions!based!on!the!limitations!to!freedom!of!expression!established!in!
international! law,! in! particular! Article! 19! of! the! United! Nations! International!
Covenant!on!Civil!and!Political!Rights and!Article!10!of!the!European!Convention!on!
Human!Rights.! While! we! commend! the! Council! of! Europe! for! working! to!
protect! and! promote! respect!
106
for!human!rights!by!social!networks!providers,!we!wish!to!express!caution!
on!some!of!the!provisions!as!currently!drafted!and!to!respectfully!provide!additional!
suggestions!that!can!be!included.
DRAFT!RECOMMENDATION!ON!MEASURES!TO!PROTECT!AND!PROMOTE!R
ESPECT!FOR!HUMAN!RIGHTS!WITH!REGARD!TO!SOCIAL!NETWORKING
SERVICES
107
A Bill of Privacy Rights for Social Network Users, Electronic Frontier Foundation, 2010,
available at . 3 Adopt! strong! legal! safeguards! and! due! process! before! disclosure!
of! individuals’! data! to! governmental! entities.! Government! access! should be!
done! only! upon! receipt! of! a! court! order,! in! accordance! with! international!
legal!norms!and!instruments!relevant!to!the!protection!of!private!life. Allow and
encourage social! networks! to! notify! the! person whose! social! networking! records!
are! sought whenever! possible.! Social! networks! should! agree! to! a!timetable! for!
disclosure! to! the! party! requesting! data!in! order! to!
provide!a!reasonable!opportunity!for!the!individual!to!file!an!objection!with!a!
court!before!disclosure.! Foster! transparency! on! the! disclosure of! citizens'! data!
pursuant! to! a! governmental! or! private! party! request.! The! guidelines! should!
encourage! social! networks! to! publicly! disclose! an! accounting! of! the! nature! and!
frequency!of!governmental!and!private!party!requests!for!access!to!citizens’ data. 2
Foster! transparency! on! requests for! content! removal! or! the! censorship! of!
content.! The! guidelines! should! encourage! social! networking! services! to!
publicly!disclose!the!nature!and frequency!of content!removal!or!requests!to!
censor!content,!including!the!justification (e.g., court!order,!violation!of!terms!
of!service!or!other!category,!if!applicable). Foster! transparency! on! social!
networking! services’! guidelines! for! law!
enforcement!seeking!to!request!information!about!users. Any government request to get
access to users' personal data should include a provision to remunerate a social
networking service. This obligation will not only compensate the company for the
additional work required to fulfill the request, but will also incentivize governments
towards mitigating on the possibility of unlimited requests.
GUIDELINES!FOR!SOCIAL!NETWORKS!PROVIDERS 1.
Transparency!as!regards!freedom!of!expression!and!access!to!information While! we!
agree! that! the! “core! conditions”! should! be! written! in! “a! form! and! language”!
that!is! “appropriate! to!and!easily!understandable!by,! the!group!of!social!
networks!sites,”!we!also!believe!that!those!terms!of!services!should!be!accessible!in!
108
the!users’!native!language!since!those!terms!of!services!condition!individuals!to!the!
policies’! contents! upon! his! or! her! consent. For! example,! Facebook’s! site! has!
been!
translated!in!more!than!80!languages!while!the!Terms!of!Services!is!available!only!in!
less!than!10 languages.! 2.
Appropriate+protection+of+children+against+harmful+content+and+behavior
2.1+Age9verification+creates+more+privacy+risks+rather+than+protect+privacy 2 See
Google!Transparency!Report,!. 4 EFF!agrees!that!ageDverification
access!raises!numerous!human!rights!concerns.3!!In! particular,! the! guidelines!
correctly! emphasize! that, “there!is! not! a! single! technical!
solution!with!regard!to!online!age!verification!that!does!not!infringe!on!other!human!
rights! and/or! does! not! facilitate! age! falsification,! thus! causing! greater! risks! than!
benefits!to!the!minors!involved.”! AgeDverification! access! intended! to! protect!
privacy! would,! ironically,! create! more!
privacy!risks.!There!are!already!several!challenges!to!protecting privacy!against!the!
largely! invisible,! poorly! understood,! and! continually! escalating! surveillance! of!
adult’s online! activities,! let! alone! those! of! children.4 A! study! has! identified! the
unintentional!and indirect!leakage!of!personal!data!via!social!networking!services!to!
thirdDparty!aggregation!servers.!The!study!also!noted!that this!leakage!is!also!being!
shared! with external! online! social! networking! applications,! which! not! only! have!
access! to! a! user’s! profile! information,! but also! leak! a! user’s! social! networking!
identifier!to!other!third!parties.5
Moreover,!age!verification!processes!curtail!children’s!freedom!of!expression!rights,!
including!older!children’s!right!to!read!anonymously.!Older!children!may!have!ideas!
that! they! want! to! learn! that! they! might! not! tell! their! parents! about,! and!
leaking! more!personal!information,!such!as!age,!will!only!increase!privacy!risks
for!them. 6 3. Ensuring!users’!control!over!their!data 3.1 Informed!consent To!
complement! point! 5! on! the! right! of! users! to! control! their! data,! EFF! “Bill! of!
Privacy!Rights!for!Social!Network!Users”!says:
“Social!network!services!must!ask!their!users'!permission!before!making!any!change!
that! could! share! new! data! about! users,! share! users'! data! with! new! categories! of!
109
people,!or!use!that!data!in!a!new!way.!Changes!like!this!should!be!"optDin"!by!default,
! 3 See
Ctr.!for!Democracy!&!Tech,!Electronic!Frontier!Foundation,!The!Progress!&!Freedom!
Found.,!Comment!on!the!Federal!Trade!Commission’s!Implementation!of!the!Children’
s! Online!Privacy!Protection!Rule!(June!30),!. 4 See
Seth!Schoen,!New!Cookie!Technologies:!Harder!to!See!and!Remove,!Widely!Used!to!
Track!You,!Electronic!Frontier!Foundation,!September!14,!2009,!
.!Peter!Eckersley,!How!Online!Tracking!Companies!Know!Most!of!What!You!
Do!Online!(and!What!Social!Networks!Are!Doing!to!Help!Them),!Electronic!Frontier!
Foundation,!September!21,!2009.!https://www.eff.org/deeplinks/2009/09/onlineD
trackersDandDsocialDnetworks. 5 See
Balachander!Krishnamurthy,!Craig!E.!Wills,!On!the!Leakage!of!Personally!Identifiable!
Information!Via!Online!Social!Networks,!available!at! . 6 See
Rebecca!Jeschke,!Don't!Turn!COPPA!Into!AgeDVerification!Mandate,!Electronic!Front
ier! Foundation,!July!2,!2010,!available!at!. 5 not! "optDout,"! meaning! that! users'!
data! is! not! shared! unless! a! user! makes! an! informed! decision! to! share! it.! If! a!
social! network! service! is! adding! some!
functionality!that!its!users!really!want,!then!it!should!not!have!to!resort!to!unclear!
or!misleading!interfaces!to!get!people!to!use!it.”7 3.2 Clear!user!interface We! also!
ask! the! Council! of! Europe! to! encourage! social! networks! providers! to! provide!a!
clear! user!interface! that!allows! users! to!effectively!exercise! their! rights.! Users!
should! have! “the! right! to! a! clear! user! interface! that! allows! them! to! make!
informed! choices! about! who! sees! their! data! and! how! it! is! used.”8!!
Professor!Greg! Conti!has!pointed!out! that!a!good!interface!is!designed!
to!help!users!achieve! their!
goals!without!impediments.!However,!an!“evil”!interface!is!conceived!to!deceit!users!
into!doing! things! they!do!not!want! to.9 There!are!many!examples! of! obscure!user!
interfaces,! such! as! Facebook’s! instant! personalization! changes! and! GoogleBuzz!
which! forced! Gmail! users! to! share! their! email! contacts! and! threatened! to! move!
private! GMail! recipients!into! a! public! "frequent! contacts"!list,! or!
Facebook!instant! personalization!changes,!are!a!few!examples.10 3.3
110
Transparency!on!social!networking!records!requests
To!address!concerns!of!privacy!violations,!lack!of!transparency!and!public!oversight!
mechanisms on!social!networking!data!requests,!we!respectfully!want!to!repeat!our
above!recommendation: Adopt! strong! legal! safeguards! and! due! process! before!
disclosure! of! individuals’! data! to! governmental! entities.! Government! access!
should! be! done! only! upon! receipt! of! a! court! order,! in! accordance! with!
international! legal!norms!and!instruments!relevant!to!the!protection!of!private!life.
Allow! and! encourage! social! networks! to! notify! the! person! whose! social!
networking! records! are! sought whenever! possible.! Social! networks! should! agree!
to! a!timetable! for! disclosure! to! the! party! requesting! data!in! order! to!
provide!a!reasonable!opportunity!for!the!individual!to!file!an objection!with!a!
court!before!disclosure.! 7 Supra note!1 8 Supra note!1. 9 Professor! Greg! Conti,! Evil!
Interfaces,! Hackers! On! Planet! Earth! conference,! 2008,! .! ! See' also,! Tim! Jones,!
Facebook's! "Evil! Interfaces,"! Electronic! Frontier! Foundation,! April! 29,! 2010,!
available!at!.! 10 FTC! Charges!Deceptive! Privacy! Practices!in!Google's!Rollout! of!
Its!Buzz!Social!Network,! March! 30,! 2011,! Federal! Trade! Commission,! available!
at! .! Kurt! Opsahl,! How! to! Opt! Out! of! Facebook’s! Instant! Personalization,!
Electronic! Frontier! Foundation,! April! 22,! 2010,! available! at! . 6 Foster!
transparency! on! the! disclosure! of! citizens'! data! pursuant! to! a! governmental! or!
private! party! request.! The! guidelines! should! encourage! social! networks! to!
publicly! disclose! an! accounting! of! the! nature! and!
frequency!of!governmental!and!private!party!requests!for!access!to!citizens’! data.!!
Foster! transparency! on! requests! for! content! removal! or! the! censorship! of!
content.! The! guidelines! should! encourage! social! networking! services! to!
publicly!disclose!the!nature!and!frequency!of!content!removal!or!requests!to!
censor!content,!including!the!justification!(e.g.,!court!order,!violation!of!terms!
of!service!or!other!category,!if!applicable). Foster! transparency! on! social!
networking! services’! guidelines! for! law!
enforcement!seeking!to!request!information!about!users.
Any!government!request!to!get!access!to!users'!personal!data!should!include!
a!provision to! remunerate!a! social!networking! service.!!This! obligation!will!
111
not!only!compensate!the!company!for!the!additional!work!required!to!fulfill!
the!request,!but!will!also!incentivize!governments!towards!mitigating!on!the!
possibility!of!unlimited!requests. 3.4
Enable!by!default!siteVwide!SSL!and!security!breach!notification
The!guidelines!correctly!point!out!the!importance!for!social!networking!providers!to!
“apply! state! of! the! art! security! measures.”!We! respectfully! request! the! Council!
of! Europe! to! recommend! member! states! to! encourage! social! network! providers!
to! enable! siteDwide!SSL! by! default! to! protect! users’!information!and!
communications! from!eavesdropping.!! In! addition! to! enabling! default! siteDwide!
SSL,! social! networking! services should! inform! users! and! national! data! protection!
authorities! about! any! security! breach! affecting!their!users. Security! breach!
notification! can! be! an!important! tool! for! helping to ensure! online! security.! For!
example,! during! the! Tunisian! revolution,! the! Tunisian! government!
launched!an!attack!on!activists!that!stole!the!usernames!and!passwords!of!Tunisians!
logging!in!to!Google,!Yahoo,!and!Facebook.11 The!Tunisian!government!then!logged!
in!to!Tunisians’!email!and!Facebook!accounts.!During this!period!of!time,!EFF!urged!
Facebook,!Google,!and!Yahoo!to!take!concrete!steps!as!quickly!as!possible!to!inform!
and!better!protect!their!users!against!the!breach. 3.5The+privacy+policies+dilemma+
The!problems!with!privacy!policies!are!serious.!In!many!cases,!the!privacy!policies!
of!social!networking!services!lack!a!definition!of!critical!terms!or!broadly!state!the!
purposes!of!data!collection!(e.g.,!“to!provide!you!with!a!better!experience”)!to!allow!
11
Eva!Galperin,!EFF!Calls!for!Immediate!Action!to!Defend!Tunisian!Activists!Against!
Government!Cyberattacks,!Electronic!Frontier!Foundation,!January!11,!2011,!available!
at! 7 limitless! uses! of! personal! data.12 Therefore,! EFF! believes! that! vague!
justifications!
such!as!providing!!“a!better!user!experience”!tell!individuals!nothing!useful!for!them!
to!make!an!informed!decision!about!the!use!of!their!personal!data.
We!agree!with!guidelines! that!call! for! “ensuring! transparent!information for!users!
about! the! management! of! their! personal! data! in! a! form! and! language! that! is!
appropriate! for! the! target! groups! of! the! social! networking! services.”! We! want!
112
to! repeat! our! concerns,! however, about! the! need! to! provide! privacy! policies! in!
the! user’s!native!language. 3.6Deletion+of+profiles+ We! want! to! commend! the!
Council! of! Europe! for! requesting! that! social! network
services!“make!sure!that!users!are!able!to!completely!delete!their!profile!and!all!data!
stored!about!and!from!them!in!a!social!networking!service.” As!we!have!said!in!our!
“Bill!of!Privacy!Rights!for!Social!Networking!Users,”!a!user!should!have!the!right!to!
delete! data! or! her! entire! account! from! a! social! network! service. It! should! be!
permanently!eliminated! from! the!service's!servers. Social!network!services!should!
not!disable access to data while continuing to store or use user’s data. The data should be
permanently eliminated from!the!service’s servers. Furthermore, if users decide to leave
a social network service, they should be able to easily, efficiently and freely take their
uploaded information away from that service and move it to a different one in a usable
format. This concept is fundamental to promote competition and ensure that users truly
maintain control over their information, even if they sever their relationship with a
particular service.13 3.7Data+Minimization A! social! networking! service should!limit!
the! collection! of! personal! data,!including! transactional!data and!location!data to!
the!minimum!amount!necessary! to!provide! services.!They! should!
store!personal!information! for! the!minimum! time!necessary! for! the!purpose!of!
their!operations. A!social!networking!service should!effectively! obfuscate,! aggregate!
and! delete! unneeded! or! unused! user! personal! information
about!users.!They!should!also!maintain!written!policies!addressing! those!personal!
data! collection! and! retention!minimization! policies.! Policies! should! clearly!
specify! the! kind! of! data! collected,! the!period! of! retention,!and!avoid! the! use!
of!general! or! vague!terms!that!promote!the!limitless!use!of!data.14 Law! must!
provide! any! restriction! on! the! right! to! privacy.! For! a restriction! to! be!
permissible,!the!restrictive!measure must!be!necessary!in!a!democratic!society.!It!is!
not!enough! that! the! restriction serves! one! of! the enumerated!legitimate!aims;! the!
12 See
CDTDEFF,!Proposed!Smart!Grid!Privacy!Policies!and!Procedures!5D9!(California!Pub
lic!
Utility!Commission!Rulemaking!08D12D009)!(Oct.!15,!2010)!(Attached!as!“Exhibit!1!
113
of!1”). 13 Supra note!1. 14
Electronic!Frontier!Foundation,!Best!Practices!for!Online!Service!Providers,!June!28,!2
011,! available!at!. 8 restriction!must!be!necessary!
for!reaching!the!legitimate!aim.!The!restriction!must!
comply!with!the!principle!of!proportionality;!the!restriction!must!be!appropriate!to!
achieve! its protective! function;! it! must! be! the! least! intrusive! instrument! amongst!
those! that might! achieve! the! desired! result;! and! the! restriction must! be!
proportionate!to!the!interest!that!is!to!be!protected.15 Therefore,! legal! frameworks!
that! compel! social! networking! services! to! retain!
personal!data,!including!transactional!data!and!subscription!information, may!be!in!
violation! of! Article! 17! of! the! United! Nations! International! Covenant! on! Civil!
and! Political!Rights!and!the!European!Convention!on!Human!Rights.16
3.8Freedom+of+Expression:+Anonymity+and+Pseudonymity We!also commend!
the!Council! of!Europe! for!asking!a! social!networking! service to! “consider!allowing!
the!possibility! of!pseudonymous!profiles.”! In!particular,!we!are! pleased! to! read! the!
“Declaration! on! freedom! of! communication! on! the! Internet”! which!
supports!anonymity!and!pseudonymity.17 In! the!Declaration,! the!Committee!
of!Ministers! stress! that;! “In! order! to! ensure! protection! against! online!
surveillance!
and!to!enhance!the!free!expression!of!information!and!ideas,!member!states!should!
respect!the!will!of!users!of!the!Internet!not!to!disclose!their!identity.”
Throughout!history,!individuals!have!been!writing!in!anonymous!or!pseudonymous!
ways.! Anonymous! and! pseudonymous! expression! allows! individuals! to! express!
unpopular! opinions,! honest! observations,! and! otherwise! unheard! complaints.!
Individuals! may! decide! to! communicate! anonymously! or! pseudonymously! out! of!
15 Martin! Scheinin,! “Report! of! the! Special! Rapporteur! on! the! promotion! and!
protection! of! human! rights! and! fundamental! freedoms! while! countering!
terrorism,”! p11,! available! at! .!See!also!General! Comments!No.! 27,!Adopted!
by!The!Human!Rights! Committee!Under! Article! 40,! Paragraph! 4,! Of! The!
International! Covenant On! Civil! And! Political! Rights,! CCPR/C/21/Rev.1/Add.9,!
November! 2,! 1999,! available! at! . 16
114
Digital!Civil!Rights!in!Europe,!French!Decree!Establishes!What!Data!Must!Be!Retaine
d By! Hosting! Providers,! EDRiDgram! D Number! 9.5,! March! 2011,! available! at! .!
See' also [Norwegian]! Protests! greet! new! data! storage! law,! ! April! 5,! 2011,!
available! at! .! See'
also,!European!Comission!Home!Affairs,!Taking!on!the!Data!Retention!Directive,!avail
able!at! .! See Report! of! The! Data! Retention! Conference,! ‘Towards! The!
Evaluation! Of! The! Data! Retention! Directive’,! Brussels,! 14! May! 2009, available at
. 17 Declaration!on!freedom!of!communication!on!the!Internet,!available!at . 9
concern!about!political!or!economic!retribution,!harassment,!or!even!threats!to!their!
lives.! Unfortunately,! Facebook’s! Terms! of! Service! requires! Facebook! users! to!
provide! their! real! names!and!information.18 This! practice! creates! serious! risks!
particularly! for! dissidents! and! human! rights! workers! in! developing! democracies!
who! are! compelled! to! use! their! real! names! on! Facebook,! especially! those!
countries! with! weaker! democracies,! and! authoritarian! regimes.19 Facebook’s! real!
name! policy! creates! a! double! negative! effect:! if! Facebook’s! Terms! of! Service!
are! violated! for!
using!a!pseudonym,!Facebook!can!disable!an!individual’s!account,!shutting!down!a!
key!avenue! for!political!discourse.20 For!example,!the!administrator of!the!“We!Are!
All!Khaled!Said,”!Facebook!page!used!a!pseudonym.!The!page!encouraged its!fans!to!
document! the! Egyptian! elections.! However,! the! administrator’s! Facebook! account!
was!deactivated!just!prior!to!the!elections;!the!takedown!of!his!account!resulted!in! the!
temporary! takedown! of! the!Facebook!page. 21 The!Michael!Anti!case!is!another!
example.! Michael Anti is the pseudonym of a former journalist, who has used this
nickname for more than 10 years. Facebook deactivated his account and cut him off from
a network of more than 1,000 contacts who know him as Anti.22 3.9Government+ Uses+
of+ Social+ Networking+ Services+ for+ Investigations+ and+ Beyond Several! news!
reports! have! made! it! clear! that! governments! use! social! networking! services! as!
a! tool! for! investigation.23 The! lack of! transparency! about! how! the! 18
Facebook,!Statement!of!Rights!and!Responsibilities,!available!at! . 19
Jillian!C.!York,!Policing!Content!in!the!QuasiDPublic!Sphere,!Open!Net!Initiative,!pag
e!10,! .
115
20Eva!Galperin,!EFF!Calls!for!Immediate!Action!to!Defend!Tunisian!Activists!Against
! Government!Cyberattacks,!EFF,!January!2011,!available!at! . 21
Mike!Giglio,!Middle!East!Uprising:!Facebook's!Secret!Role!in!Egypt,!The!Daily!Beast,
! February!24,!. 22 Tiny!Tran,!Activist!Michael!Anti!Furious!He!Lost
Facebook!AccountDDWhile!Zuckerberg's!
Dog!Has!Own!Page,!Huffington!Post,!August!3,!2011,!available!at! . 23 See
Laura!Saunders,!Is!'Friending'!in!Your!Future?!Better!Pay!Your!Taxes!First,!The!Wall!
Street!Journal,!Lacrosse!Tribune,!August!27,!2009,!available!at! .!See'also
KJ!Lang,!Facebook! friend!turns!into!Big!Brother,!November!19,!2009,!available!at .
10 personal!data is!collected
used,!for!how!long!it!is!kept,!and!who!has!access!to!it!make!
the!problem!even!worse.24 EFF,! with! help! from!the! Samuelson! Clinic at! the!
University! of! California! Berkeley!
Law!School,!made!a!series!of!US!Freedom!of!Information!Act!(FOIA)!requests!asking!
various! US!law! enforcement! agencies! to! disclose! documents! detailing! their! use!
of! social! networking! sites!in! their!investigations.25 The! documents! disclosed!
through! this! project! revealed,! among! other! things,! Citizenship! and! Immigration’s!
surveillance!of!social!networks!to!investigate!citizenship!petitions!and!the!DHS’s!use!
of! a! “Social! Networking! Monitoring! Center”! to! collect! and! analyze! online!
public! communication! during! President! Obama’s! inauguration.! The! center!
monitored! social!networking!sites!for!“items!of!interest.”26 In!addition,!we! have!
found!guidelines! revealing! how! several!US! social! networking
services!handle!requests! for!user!information!such!as!contact!information,!photos,!
IP!logs,!friend!networks,!buying!history,!and!private!messages.27 The!guides!we!have!
received! through! EFF! FOIA! requests! show! that! social! networking! sites! have!
struggled! to! develop! consistent,! straightforward! policies! to!govern! how!and!when!
they!will!provide!private!user!information!to!law!enforcement!agencies.!The!guides!
also!show!how! those!policies!have!evolved!over! time.28 We!should!emphasize! that!
many!of!those!guidelines!are!not!made!available!to!the!public by!social!networking!
services.! It! is! worth! pointing! out that! only! Craigslist’s! and! Twitter’s! guides! are!
posted!on!their!websites. In!addition!to!using!this!information
116
on!social!networking!sites for!law!enforcement!
investigations,!the!US!government!has!been!considering!using!it!for!all!background!
checks!in!security!clearances.29 With!just!a!name,!address,!date!of!birth,!and!social!
security! number,! governmentDhired! Internet! investigators! were! able! to! find!
“noteworthy”! search! results! for! as! many! as! 53%! of! the! 349! study! participants.!
“Noteworthy”! information! included! the! proclivity! to! put! personal! information! 24
See'also,'Electronic!Frontier!Foundation,!Lawsuit!Demands!Answers!About!SocialD
Networking!Surveillance,!December!1,!2009,!available!at! . 25
Electronic!Frontier!Foundation,!FOIA:!Social!Networking!Monitoring!Site,!available!at
! 26
Electronic!Frontier!Foundation,!Lawsuit!Demands!Answers!About!SocialDNetworking!
Surveillance,!December!1,!2009,!. 27
Jennifer!Lynch,!Social!Media!and!Law!Enforcement:!Who!Gets!What!Data!and!When?
,! Electronic!Frontier!Foundation,!January!20,!2011,!available!at . 28 See
EFF!comprehensive!spreadsheet!that!compares!how!social!networking!services!
handle!requests!for!user!information!such!as!contact!information,!photos,!IP!logs,!frien
d! networks,!buying!history,!and!private!messages,!available!at! . 29
Electronic!Frontier!Foundation,!FOIA:!Office!of!the!Director!of!National!Intelligence,!
available!at!. 11 online,! but! also! included! soDcalled! “questionable”! material! such!
as! disclosure! of! “underage! drinking,! profanity,! and! extreme! religious! and/or!
political! views! on! public! forums.” Social! networking! sites! like! MySpace! were!
also! included! in! the! background!investigations.30 These! techniques! raise! questions!
about! the! limits! and! appropriate! accountability! concerning the!ways!in!which!
government! agencies! and!law! enforcement! officials!
collect!and!analyze!information!about!individuals!online. 4. Conclusion EFF!
respectfully! asks! the! Council! of! Europe! to! revise! its! guidelines! and!
recommendation to!ensure!that!social!networking!services!will!protect!privacy!visD
àDvis! the! government,! foster! transparency! on! the! disclosure! of! citizens'! data!
pursuant! to! a! governmental! or! private! party! request,! foster! transparency! on!
requests! for! content! removal! or! the! censorship! of! content,!foster! transparency! on!
social! networking! services’! guidelines! for! law! enforcement! seeking! to! request!
117
information!about!users.!EFF!also!asks!the!Council!of!Europe!to!ensure!that!freedom!
of!expression!rights,!including!the!readers’!rights!to!use!social!networking!services!
anonymously! be! respected,! and! not! curtailed,! by social! networking! services. The!
Council! of! Europe! should! also! ensure appropriate! accountability! concerning the!
ways! in! which! government! agencies! and! law! enforcement! officials! collect! and!
analyze!information!about!individuals!online. Finally,!any government request to get
access to users' personal data should include a provision to remunerate a social
networking service. This provision will incentivize governments towards mitigating on
the possibility of unlimited requests.
EFF!would!be!pleased!to!answer!any!questions!on!these!matters.!
Thank!you!for!your!consideration. Katitza+Rodriguez Pereda
International!Rights!Director Electronic!Frontier!Foundation katitza@eff.org
|!https://www.eff.org 30
Jennifer!Lynch,!Government!Finds!Uses!for!Social!Networking!Sites!Beyond!Investigat
ions,! Electronic!Frontier!Foundation,! .
118