Where The Truth Lies
Unless I am very wrong, the date this article appears in print is one of only three such dates every century; and each one is special. 11-11-11, like 10-10-10 and 01-01-01 are all binary in appearance. (Of course, should you have the luck to read this at eleven minutes past an hour before noon, you should consider yourself twice blessed: 11-11-11-11-11).
That binary world is the world of computers in what we call the “digital” age. These date-numbers are special because they represent a very old system of delivering digital instructions: one/zero, true /false, yes/no, with nothing in between. Every permutation and combination necessary in the digital world, from movies and music to text and images, can be achieved by a manipulation of binary digits. Despite all its ability to render in colour and enable us to see and hear details we never could before, the digital world is still a world of black and white.
Law, on the other hand, dwells almost entirely in a world of grey, with very little that is an absolute white or black, yes or no, one or zero. It is at the point of intersection of these two different worlds that the law gets tested as nowhere else. The nature of digital technology is rapid change, measured sometimes in minutes; the law is altogether more glacial. If, therefore, the law has to keep step with digital technology, it must be designed so that it can adapt to changes in technology without needing a complete restructuring of the law.
The nature of the digital world has altered our perceptions and the way we conduct ourselves. Copyright and intellectual property theft is that much easier in a digital age. So is the assumption of a new identity or the concealment of your own identity. Many of us, overwhelmed, view digital information flung at us as true — chain mail hoaxes about dying babies, for instance, and threats of imminent catastrophic self-destruction should you open a random mail. In the physical world, we would only sneer at these same messages. Digital communications and the internet have changed the way we view “the truth” and led many of us to believe, perhaps out of fear of technology or mere ignorance — some dark magic seems at play here — that anything that comes at us over an internet connection is, by definition, true. Worse yet, we no longer seem to need “proof” of anything we read.
This is a serious issue when digital communications run up against the law. Some years ago, a High Court judge opined that because a certain message was sent by email, it could not, for that reason, be disbelieved. In other words, an email print-out had to be believed without further proof. Like most of us, the judge was probably overwhelmed by the technology or perhaps he never really understood it at all. He was utterly wrong, of course; it’s exactly the reverse. A print-out of an email proves nothing, and this was demonstrated to the appeal court by simply manufacturing a bunch of print-outs, all of which looked like legitimate emails, but not one of which was true (one offered the Rajabhai Tower for sale). With very little effort, anyone could conjure up an email that appears to be from me to my editor offering to sell to the Mumbai Mirror the whole of CST for conversion into a printing press — for Rs.100 lakh crores. But for the content, could we say if this email was true or not? Suppose it had contained something more mundane — a request to borrow a book, perhaps — would it then be true? Do the plausibility of the contents of an email prove the email?*
*To actually prove an email, you must dive into the digital ocean: you need machines codes, IP addresses, extended headers, all manner of digital information to establish that an email was ever sent and delivered. The law’s simple answers — registered post acknowledgement cards and physical endorsements of receipts — do not work here.
Our Information Technology Act of 2000, even after its 2008 amendment, is a grand example of squandered opportunities. It locks itself into a certain encryption technology, something which is downright daft.1 Even before that, in the definitions section, the Act’s mutton-headedness shows through. There are separate definitions for “computer”, “computer system”, “computer resource” and “computer network”. “Data” is defined in relation to a “computer”. An “electronic record” includes data. “Information” also includes data; and data means, among other things, a representation of information.2 Right, got that. Before the 2008 amendment, hacking meant not what you and I know it to mean — unauthorised access to a computer — but unauthorised access with intent to cause or the knowing of the likelihood of causing wrongful loss or damage to the public or any person.3 Imagine what you had to prove: unauthorised access, intent, knowledge, loss. And that was for criminal liability. A completely different, and simpler, definition was also thoughtfully provided for civil liability (a claim in damages) in a totally different section.4 The 2008 amendment takes a stab at sorting this out and adopts the simpler definition (unauthorised access) but even here the babus who draft these laws can’t control their primal urges: this unauthorised access must still be proved to be dishonest and fraudulent, terms that have a specific meaning in criminal law.5
From the odd, the Act moves cheerfully to the bizarre: to “prove” an electronic record several conditions are to be met.6 The first of these is this:
“the computer output containing the information was produced by the computer during the period over which the computer was used regularly to store or process information for the purposes of any activities regularly carried on over that period by the person having lawful control over the use of the computer”.
That gives a flavour of what follows. Information during this period must be shown to have been “fed” into the computer (is receiving an email “feeding”?). The computer must have been working properly or without significant failure so as to affect it. What? Crashes, hard disk failures, those blue screens of death, data loss, or perennial upgrades each with their own problems — any one of these could invalidate “proof”. No operating system is perfect. Many crash, some more often and more spectacularly than others. All this, and more, must be “certified” by a person occupying a responsible official position in relation to the computer. There is nothing official about my “position” in relation to my computer and I can’t remember the last time anyone called me responsible in any context.
Vir Sanghvi’s recent article in Outlook demonstrates the hazards and inadequacies of our digital law. Sanghvi claims to have ascertained from no less than three experts that the Radia Tapes which damned him appear to have been doctored. I do not know if the original tapes were physical tapes (like cassettes) or digital recordings, but let’s assume they were digital, since those are the versions available online, including on the website of Outlook itself. I hold no brief for Sanghvi and nor is this a comment on the tapes or the persons involved. But if Sanghvi now wants to prove tampering, how would he ever be able to negotiate the morass of the ITA 2000? The tapes are data, and information. Somebody must certify them as true, going through the gamut of conditions listed. Then Sanghvi must establish that there was unauthorised tampering with this data (leave aside that the data itself might have been unauthorised to begin with). Even his own experts are unable to say with certainty that the data was tampered. They only assess probabilities. Is that good enough for our law? For Sanghvi to find exoneration? To the contrary: it seems that our technical/technological law, because it is so utterly flawed, myopic and smug in its mindlessness, will make that impossible or, at any rate, very, very difficult. The same situation applies to the Bhushan tapes and now to the CD involving a minister in Rajasthan.
This disconnect is primarily because the IT Act fails to address the fundamental difference between the digital and real worlds: the question of malleability. By definition, digital data can be manipulated. Digital communications and the internet depend on digital manipulation. Our emails, for instance, differ from letters and postcards. Emails are literally chopped up into data ‘packets’ during despatch and reassembled at the other end. Imagine a postcard being dismembered and then restored, and the effect of that on “proof”. Our take a web page. Many web pages are rendered ‘dynamically’: they don’t actually exist in any form at all. When we click a link, a digital message goes off to a database — which could be anywhere and in any number of forms — and, through a process again of assembling, a page is ‘rendered’ for our viewing. Quite literally, it is drawn out as and when it is called for.
More intricacy: a web page can be altered on-the-fly to render in a particular fashion depending on who you are or where you are located. This is how we see targeted advertising on the Internet. A web page with ads viewed in India can be very different from the same page seen overseas.
Deleting it or changing a web page entirely is a matter of a few minutes. Now project this to digital contracts, those little “I Agree” buttons we press or the checkboxes we tick off every time we sign up. Do we ever read those ‘contracts’? Where do they exist? What do they say, and what are the legal terms? We click — a digital signature — and then the contract disappears. Nobody ever has a copy. Suppose the person who made you sign it changed it and, say, altered the jurisdiction clause from Mumbai or London to Ouagadougou. How would you establish that that is not the contract you ‘signed’? The IT Act does not even begin to address these issues.
This messiness is more than bad drafting or shoddy thinking. It is a hindrance. It slows decision-making. It forces litigants, lawyers and judges down roads they need not go. It affects the way we do business. Multimillion dollar deals are negotiated by email. If, in an ensuing litigation, these emails are disputed, and their proof demands this level of idiocy, what confidence can we expect anyone to have in our legal system? Note, too, that there is nothing in the Act about the destruction of digital records something that we all know has played a vital part in any number of fraud cases overseas.
The strength of the digital world is in its underlying simplicity. All its complexity and strength still comes from those beautiful binary numbers. That is something the act should have recognized and built on. There’s even a Latin phrase for it: lex parsimoniae or the law of parsimony. It is one of the two principles in Occam’s Razor. Together with the second, the principle of plurality, this is often (and wrongly) translated into something with which we are all familiar, but which the draftsmen of the IT Act forgot: keep it simple.
§3(2): “The authentication of the electronic record shall be effected by the use of asymmetric crypto system and hash function which envelop and transform the initial electronic record into another electronic record.” ↩
§2 of the IT Act, 2000 ↩
§66 of the IT Act, 2000 ↩
§43 of the IT Act, 2000 ↩
§32 of the IT Amendment Act, 2008 ↩
§65B of the Evidence Act, introduced by the IT Act, 2000 ↩