CRIMINAL PROVISIONS OF THE INFORMATION TECHNOLOGY ACT, 2000: UIDAI’S AADHAAR

AND WHAT HAS BEEN GOING WRONG

 INTRODUCTION

There’s no denying India’s need of laws for checking the highly recurrent cyber offences

owing to its arrival in the cyber era, particularly due to UIDAI’s Aadhaar. What I argue,

however, is that the penal provisions under the Information Technology Act, 2000

[hereinafter “IT Act”] are slightly inadequate for this purpose. Although I support the advent

of a new legislation in this regard, I feel the IT Act provisions alone, if worded correctly and

implemented well, would go on to do the needful. This project report is confined to the

Aadhaar database as a computer database that is restricted for reasons of the Security of the

State.

THE ELEMENT OF MENS REA WHICH IS FUNDAMENTAL TO THE IDEA OF “CRIME”

“Crime is crime because it consists in wrongdoing which directly and in serious degree

threatens the security or well-being of society, and because it is not safe to leave it redressible

only by compensation of the party injured.”1 By a reading of these lines, one could

understand the degree of an act that constitutes crime. So to say, wrongdoing which threatens

the society and the fact that it is unjust to settle it only by compensation are the two reasons

for calling an act a crime. However, there is something as essential as the act which this

definition fails to cover and that is the ingredient of mens rea.

The essence of criminal law has been said to lie in the maxim – “actus non facit reum nisi

mens sit rea”.2 There can be no crime, large or small, without an evil mind3 as the essence of

the crime is its wrongful intent without which it cannot exist.4 There may or may not be an

1
CK Allen, The Nature of Crime, JOURNAL OF SOCIETY OF COMPARATIVE LEGISLATION, 1931 (221, 233).
2
Eugene J. Chesney, The Concept of Mens Rea in the Criminal Law, 29 J. CRIM. L. & CRIMINOLOGY, (1939)
(627, 629).
3
Francis Bowes Sayre, Mens Rea, 45 HARVARD LAW REVIEW, 1932 (974, 974).
4
BISHOP, Criminal Law, 287 (9th ed., 1930).
intent to engage in any criminal activity.5 To punish conduct without reference to actor’s state

of mind is both inefficacious and unjust.6

Subba Rao J. has raised a very beautiful question in a case which requires a lot of

brainstorming:7 Whether the intention of the Legislature is to punish persons who break the

said law without a guilty mind?

Firstly, what exactly constitutes a guilty mind? The meaning of a “guilty mind” is different

for different offences.8 Each crime consists of a prohibited act or omission coupled with

whatever state of mind is called for by the statute which creates the offence.9 Indian Penal

Code, 1860 provides for various ingredients relating to mens rea incorporated in phrases like

‘intentionally’, ‘knowingly’, ‘dishonestly’ etc.10 Such phrases have, of course, been provided

for in the IT Act too. However, no requisite intention has been provided for the provision of

Section 70 (3)11 which penalises simple access to a protected system: Any person who secures

access or attempts to secure access to a protected system in contravention of the provisions

of this section shall be punished with imprisonment of either description for a term which

may extend to ten years and shall also be liable to fine.12

Secondly, this question brings us to another question which seems quite futile at first, but

worth pondering once we reconsider it: Can the intention of the legislature be to acquit a

person even when he has committed the act with the intention “required” by the statutory

provisions? This question would be answered in the affirmative only in two situations: firstly,

when the legal provision is not worded according to the legislature’s intention and secondly,

5
Laura Evenson & Michelle Quinn, Outlaws on the Cyberpraire, S. F CHRON, 02/04/95.
6
Herbert L. Packer, Mens Rea and the Supreme Court, 1962 THE SUPREME COURT REVIEW, 1962, (107, 109).
7
State of Maharashtra v. Mayer Hans George, AIR 1965 SC 722.
8
KD GAUR, Commentary on the Indian Penal Code, 132 (2006 ed., 2006).
9
SMITH AND HOGAN, Criminal Law, 116 (14th ed., 2015).
10
K.N.C. PILLAI, General Principles of Criminal Law, 8 (2nd ed., 2011).
11
Section 70 (3), Information Technology Act, 2000.
12
Id.
when the implementation of the provision is not in accordance with the legislature’s

intention.

Both these situations are of great relevance when we talk about the provision of S. 66F of the

IT Act. The provision defines the scope of cyber terrorism under 2 alternative parts: 66F (1)

A and 66F (1) B. The problem arises due to the latter which penalises anyone who

“knowingly or intentionally penetrates or accesses a computer resource without

authorisation or exceeding authorised access, and by means of such conduct obtains access

to information, data or computer database that is restricted for reasons of the security of the

State or foreign relations; or any restricted information, data or computer database, with

reasons to believe that such information, data or computer database so obtained may be used

to cause or likely to cause injury to the interests of the sovereignty and integrity of India, the

security of the State, friendly relations with foreign States, public order, decency or morality,

or in relation to contempt of court, defamation or incitement to an offence, or to the

advantage of any foreign nation, group of individuals or otherwise”,13 for the commission of

the offence of “cyber terrorism”.

A provision which defines an offence as serious as cyber terrorism shall not be as broad as

the above provision. The problem that underlies this provision is the mens rea prescribed by

it. Firstly, “knowingly” accessing a computer without authorization becomes a cause of great

problem once we consider the fact that an unsafe system like Aadhaar is also “restricted for

reasons of security of the state”. Secondly, it brings within its ambit anyone who

“knowingly” accesses any restricted information or database in relation to contempt of court

or defamation. (This project report is confined to the first point only) Now, let us consider

instances where these two aspects would go on to create sever issues.

13
Section 66F (1) B, Information Technology Act, 2000.
 A RELEVANT OBSERVATION

UIDAI’s inefficient management of Aadhaar has not been unknown to the world.14 An

identification project that involves the collection of the biometric and demographic

information of 1.3 billion15 people, creating the largest biometric identity project in the world,

must be scrutinized carefully to assess its compliance with human rights.16 The UIDAI has

not only declared Aadhaar a “protected system”17 under Section 70 (1),18 but also the

biometric information amounts to “sensitive personal data” under Section 43A19. The latter

provision imposes a duty of care on the government to protect such information from being

accessed by unauthorised people.

Basically, Aadhaar is a protected system for namesake and the government is not using

reasonable practices to fulfil its duty under Section 43A Say, in such a scenario, someone has

shared a link on whatsapp wherein all the details of 1.3 billion Indian citizens are accessible,

what are going to be the consequences?

Technically, from a legal point of view, everyone who opens such link would fall within the

purview of Sections 66F and 70(3) of the IT Act. However, the government, who has never

provided clarity as to the security framework that is in place for the “sensitive personal data”,

would evade the liability under Section 43A because it only expects the government to

employ reasonable practices.

Now, let us get back to the debate over mens rea. In such a scenario, was the intention of the

legislature to punish the public who have accessed the link shared on whatsapp for offences

14
Aadhaar: 'Leak' in world's biggest database worries Indians, BBC NEWS, 05/01/18,
https://www.bbc.com/news/world-asia-india-42575443
15
Krishnadas Rajagopal, ‘Aadhaar in numbers: key figures from UIDAI CEO's presentation to the Supreme
Court’, THE HINDU, 22/03/18.
16
K.S. Puttuswamy v. Union of India, 2018 SCC OnLine SC 1642.
17
G.S.R. 993(E), Ministry of Electronics and Information Technology, 11 December, 2015.
18
Section 70 (1), Information Technology Act, 2000.
19
Section 43A, Information Technology Act, 2000.
as grave as cyber terrorism and that under Section 70? Perhaps it was not. However, these

people have knowingly accessed the information protected for the reasons of security of state

and hence, they are criminals under Section 66F. Further, mere access to a protected system

is punishable under Section 70, hence these people fall within the same.

Access to a computer system, on the basis of intention, can be criminal or benign.20 To

become criminally liable, the person should be able to form the requisite criminal intent in

committing the crime.21 In fact even, a hacker who penetrates a computer just to know about

the actual working of the computer system does not intend to engage into any criminal

activity.22 Someone who tries to point out the fallacy in Aadhaar system in order to inform

the public about such a relevant problem does not engage in criminal activity by simply

accessing the system. Such ethical hackers, who do not have a criminal intent, should be

differentiated from serious computer criminals.23 Mere knowledge of harm that will be

caused without any criminal action does not make the accused liable if his act is done to

avoid other harm to person or property.24

Apart from the mens rea aspect, the principle of proportionality should be considered too:

Penalties should be proportionate in their severity to the gravity of defendant’s criminal

conduct.25 The state which has breached such a huge duty is liable for a civil wrong 26 under

Section 43A, which in any case it escapes. Whereas, the citizens, who have, by chance, fell

into the trap of words of the statute, are charged for grave crimes which are punishable by

imprisonment which might extend up to 10 years27 or even lifetime28. This is gross injustice

20
PROF. RK CHAUBEY, An Introduction to Cyber Crime and Cyber Law, 372 (2nd ed., 2012).
21
R v. Bedworth, Southwark Crown Court, 21st May, 1993.
22
Abhinav Gupta v. State of Haryana, 2008 Cr LJ 4536.
23
R v. Gold, (1988) 1 AC 1063.
24
RATANLAL AND DHIRAJLAL, Indian Penal Code, 138 (35th ed., 2017).
25
Andrew von Hirsch, Proportionality in the Philosophy of Punishment, 16 CRIME AND JUSTICE, 1992 (55, 56).
26
APARNA VISHWANATHAN, Cyber Law, 97, (1st ed., 2012).
27
Section 70, Information Technology Act, 2000.
28
Section 66F, Information Technology Act, 2000.
once we consider the principle of crimes being proportional to the punishment that should be

given for them. This, like mens rea¸ is one of the most fundamental principles of criminal law

which should always be one of the most important considerations while framing of penal

statutes.

CONCLUSION

This project report has shown us how the wording of the IT Act and the current situation due

to UIDAI’s Aadhaar can lead to problems and what has been going wrong in this regard.

Considering the aforementioned, one could sense the need for further amendment in the IT

Act so as to incorporate some much needed changes pertaining to the above issues.

A useful suggestion for improving the state of affairs would be to incorporate other degrees

of mens rea in criminal provisions like Section 66F and Section 70 of the IT Act. For

instance, Section 66 which is a criminal provision too: Acts, falling under S. 43 of the IT Act,

when done “fraudulently or dishonestly”, assume a criminal nature and amount to computer

related offences.

Dishonest - An intention to gain wrongfully29 by getting what one does not have30 amounts to

a dishonest intention. To gain wrongfully simply indicates towards gaining unlawfully.31

Fraudulent - An act is done fraudulently when done with an intention to defraud 32. Where

there is a benefit or advantage33 or the likelihood34 of advantage to the deceiver as a result of

the deceit, he is said to have an intention to “defraud”35.

29
Indian Penal Code, §24
30
Section 5 (3), The Fraud Act, 2006.
31
KN Mehra v State of Rajasthan, AIR 1957 SC 369.
32
Indian Penal Code, § 25
33
Haycraft v. Creasy, (1801) 2 East 92.
34
In re B.V. Padmanabha Rao, 1970 Cr LJ 1502 (Mysore).
35
Vimla v. Delhi Administration, AIR 1963 SC 1572.
Changing the requisite intention for the concerned provisions would restrict their ambit and

would ensure that the instances like the “observation” do not fall within it, hence, solving the

problem to an extent. And in case of Section 43A, the standards need to be clearer. “Ensuring

reasonable security practices” is something that allows someone like the government to

escape the liability, which is anyway something as less serious as compensation.

Such problems need judicial so as to provide proper interpretation to the provisions of the Act

or legislative assistance to word the provisions in a better manner. While I agree that the Act

is a relatively new law and is still undergoing changes, these are some serious issues which

need attention.