ABSTRACT
Rapid advancements in Computer Technology have brought a tectonic shift to computing technology in matters such a how data is stored or processed or transmitted in a computer system. Technological advances such as Artificial Intelligence, Quantum Computing, 3D Printing, Cyber Physical Systems of the manufacturing industry, Big Data Analytics etc., have shaken the very edifice of different aspects of Cyber Law starting from the definition of Data , Data Processing, Computer, Privacy protection, Attribution, Privacy , etc.
After a while, technology is expected to be so different from the time the earlier laws were framed that Cyber Jurisprudence may not even permit “Reading Down ” of a provision since it can be argued that the law makers could not envisage the situation as it exists now and hence Courts cannot apply old laws to current situations.
This paper discusses a few of the challenges that the Judiciary may face in the light of some of the recent technological advances. The paper recounts some of the areas where current laws have posed problem for judicial interpretation even in the context of current technologies and then discusses the additional difficulties that may come up when technology advances further.
Indian Cyber Law was structured as a “Bridging Provision”:
Information Technology Act 2000 as amended in 2008 (ITA 2000/8), is the current law for the Cyber space transactions in India. It was drafted with a bridging provision under Section 4 which meant that unless otherwise required, the current laws prevailing in the country and applicable to paper documents could be automatically extended to the requirements of Electronic documents. However a few special instances were recognized and specific amendments to other legacy legislations were suggested when the law was passed in 2000 and amended in 2008. Such changes were mainly made to Indian Evidence Act though some changes were also made to IPC, Banker’s Bo ok Evidence Act and RBI Act. A few exceptions were also listed where the Act was not to be applied to certain documents and the list of such documents included Negotiable Instruments other than the Cheque, Trust Deed, Will, Power of Attorney and documents for transfer of title in an immovable property.
After the enactment of the law and subsequent amendments, three specific technology related challenges have been confronted by the Judiciary. They are
- Section 66A regarding “Penalization of offensive messages sent through a communication device being violative of fundamental right to freedom of speech”,
- Obtaining an e-Sign certificate online” and
- “Presentation of electronic evidence under Section 65B of Indian Evidence Act “.
Another issue is brewing in the form of a “Pending Bill” to amend Indian Registration Act 1908 which probably may not get passed in the near future and hence has been ignored in the current discussion.
Scrapping of Section 66A
The first issue of mi s-application of law due to mis-understanding of technology arose when Section 66A of ITA 2000/8 was scrapped by the honorable Supreme Cour;t by holding that “Punishing the act of sending an offensive message through e-mail or SMS message” violated the Fundamental Right to Freedom of Expression” guaranteed under the constitution .
In this context, Court ignored the counter argument that “Messaging” is different from “Publishing” and the section only related to “Messaging between two individuals” and not to ” Public Speech”. In view if this, the alternate view was that the issue under content ion was whether the “Receiver of the message experienced harassment or threat etc.” and not the possible effect of the message on the society since the message was never meant to be exposed to the society.
Unfortunately, in some instances which were brought before the Court, police had erroneously booked cases under Section 66A as if a “message” was equivalent to “publication”.
The Court was rightly annoyed that the Police had tried to prosecute persons who had expressed some innocuous views and opinions on some political events. But instead of identifying and fixing the root cause behind the police action as a misunderstanding of how technology handled ” One to one messaging in private space ” as compared with “One to Many messaging in public space”, Court came to the conclusion that it was the section which was wrongly worded and had to be scrapped . The Court declared that it was not possible to read down the section for the given context and nothing short of scrapping of the section was the solution.
The technology challenge in this Section 66A issue which the Court was confronted with and failed to resolve was to determine whether a ” Face Book Posting” or ” Twitter Posting” visible to the public and searchable in a search engine like Google is same as ” E Mail sent from one person to another ” or an “SMS sent from one mobile owner to another ” which were not available for view by anybody other than the recipient unless he decided to publish it at his choice.
Court interpreted that there is no difference between a ” Publicly available information” and a ” Confidential private message” and hence there could be a ” Chilling effect on the society” if an individual sent a personal SMS message to another person. It appeared that the Court could not appreciate the difference between a Social Media platform from a Communication technology.
In this instance the technology challenge was faced by the Judiciary which had a difference of opinion with the law makers. Court ended up considering the erroneous interpretation of the Police as correct and proceeded to change the law by a judicial axe.
E- Sign System of El ectronic Signature
The second instance of technology that created a challenge was with the law makers themselves who were supposed to be technologically well informed and should have therefore solved the technology challenge with which they were confronted with. This was when the system of e-Sign was notified as a form of electronic signature for authentication of electronic documents in 2015. In this instance, Government introduced a system of electronic signature called e-Sign using a procedure which was techno -legally inappropriate.
In the specified procedure for obtaining e-Sign certificate, the application of a subscriber to be made to a Certifying authority was allowed to be made with an e-KYC procedure in which the subscriber’s application was accepted by the Certifying authority as an online electronic document even before the ability to authenticate such an electronic document was granted with the issue of the Certificate.
Also, the generation of a random key pair essential for the issue of the Private key to be used for signing was done on a Hardware Security Module (HSM) device under the control of the Certifying authority and not in control of the subscriber making the application.
The procedures adopted in the system pose a legal question on the validity of the e-Sign as valid authentication under ITA 2000/8.
These anomalies have not come for judicial scrutiny so far and remain a decision of the Controller of Certifying Authority which is an independent authority under ITA 2000/8 and also is a quasi – judicial authority itself.
If critically examined, the procedure may not meet the requirements specified under the law and the system of e-Sign may be considered as ultra-vires the Act. To regularize this scenario, a retrospective change of law may be required.
Section 65B Certification
The third instance where technology has challenged judicial understanding is in the interpretation of Section 658 of Indian Evidence Act 1872 (IEA). In this instance, law clearly laid out under ITA 2000 that electronic evidences shall be admissible as evidence only if they are presented as “Computer Outputs” with a certificate under Section 658 of IEA and not otherwise. It is also stated in this provision that electronic evidence under Sect ion 658 is admitted without the production of the “Original” and also that “no oral admission is relevant as to the contents of electronic records”.
However multiple conflicting judgements from the judiciary in this regard indicate that the Judiciary has not been able to understand and appreciate why Section 658 is necessary and why the procedure mentioned there in is the best suited for admission of electronic documents.
The conflicting decisions of different courts can be observed in the following decisions.
- The first evidence under Section 658 was admitted in a Court on 5th November,2004 (State of Tamil Nadu v. Suhas Katti, AMM Court , Egmore, Chennai;;;) resulting in the successful conviction of the accused. This accepted the evidence as per the provisions of the Act. On 4t th August 2005, honorable Supreme Court of India, in the State (N.T. Of Delhi) v. Navjot Sandhu@ Afsan Guruvi , accepted electronic evidence without Section 658 evidence and held that there was “No bar to adducing secondary evidence under the other provisions of the Evidence Act, namely Sections 63 and 65”. This was ultravires the Act.
- On September 18, 2014, a three member bench of the Supreme Court in Anvar P.V. v. P.K.Basheer and others reversed the order of the earlier bench in the Afsan Guru case and upholded the principles in the Act which had been correctly captured by the Suhas Katti judgement. The order in the Basheer case was a detailed speaking order which should have set aside any doubts about the mandatory need for production of Section 65B certificate for the admissibility of electronic
- On 30th January 2018, a two member bench of the Supreme Court delivering an interim judgement on an SLP (2302 of 2017) in the Shafhi Mohammad Vs The State of Himachal Pradesh SLP stated
“…we clarify the legal position on the subject on the admissibility of the electronic evidence, especially by a party who is not in possession of device from which the document is produced. Such party cannot be required to produce certificate under Section 65B (4) of the Evidence Act. The applicability of requirement of certificate being procedural can be relaxed by Court wherever interest of justice so justifies”
The frequent flip-flops by different judges of the supreme court with the smaller bench having the courage to issue a clarification to overrule the decision of the larger bench indicates that Section 65B provisions have completely foxed the Judicial community and created a divide within the judiciary.
The resulting judicial chaos is threatening the future of Cyber Law interpretation in the country and must be resolved.
The problem in Section 65B confusion can be traced to the inability of the Judicial system to understand that “An Electronic Evidence” exists inside a computing device in the form of “Binary Impressions” which are interpreted by a chain of software and hardware devices to be finally presented to an end user as “Text” or “Audio” or “Video”.
As a result of this, human experience of electronic evidence is always dependent on software and hardware and is not an “Absolute experience”.
Hence Section 65B rightly mandated that a “Certifier” should assume the responsibility to tell the Court to the effect that
“Here is a Computer Output which may be admitted as evidence. This is a faithful and a reliable rendition of the binary impressions that constitute the evidence”.
The section 658 also stated in effect that
“The computer output may be produced in the form of a Print out and the Original Binary Impressions are not required to be produced before the Court because any way it cannot be produced in its absolute form”.
If the need for such certification is eliminated as declared in the Shafhi Mohammad case, then any fabricated evidence presented in the Court could be admitted without any person taking responsibility for the “Apparent form of the evidence” let alone the “Genuineness” of the evidence.
Thus the inability of the bench in the Shafhi Mohammad decision to appreciate the technical aspect such as
– “A Binary Impression on a magnetic or optical storage device called a hard disk or a CD is what the Judiciary is looking up as an Electronic Evidence”,
-” which though is the Primary instance of the evidence, can be seen and experienced by a human being only in its Secondary form” has created a judicially chaotic situation where lower courts are emboldened to reject the decisions of the higher courts.
Section 65B confusion is not because the law is inadequate but it is because the judiciary is unable to understand the intention behind the section. This cannot be corrected by changing the law. The inconsistent nature of interpretation can only be corrected by the judiciary developing a “Techno legal mindset” shedding some of the age old concepts such as “Primary” document and “Secondary Document” etc.
It is in the context of such Techno Legal difficulties that we look towards the emerging technologies such as “Artificial Intelligence” and “Quantum Computing” and debate the emerging challenges.
“Artificial Intelligence” (A l) is a system of data processing where the machine is programmed to learn by its own earlier experiences and re-set itself to new decision rules as against the normal programming scenario where it is pre-programmed to a given set of decision rules set by the human programmer. Al is often supported by “Big Data” collected from multiple sources and multiple contexts but integrated at the time of processing to derive better meaning.
Quantum computing (QC) is a system of computing where the binary data storage and processing system will be replaced by quantum bit storage and processing system. Both will have an impact on the interpretation of law by the judiciary and require a completely new line of judicial thinking.
Challenges posed by Artificial Intelligence (Al):
Recently two incidents have highlighted the Cyber Legal issues that will be emerging in the area of Al and Big Data Analytics. First incident is that of the fatal accident created by an autonomous Uber Car in Arizona. Second is the controversy surrounding the personal data of 50 million Face Book users which were processed for creation of psychometric profiling by an academician through a mobile app and subsequently suspected to have been used in creating an election campaign.
In the Uber Autonomous car accident, the Car was cruising in the driverless mode under the control of Software that should have detected obstacles and applied brakes when required. It however failed to apply brakes when the victim was crossing the road and knocked down the person without even slowing down. At the time of the accident there was a supervisor at the driver’s seat but he was not controlling the car.
The legal issue now is who is legally liable for the accident. Apparently Uber the owner of the car is the prime accused. But Uber would like to place blame on the creator of the software which was working on an Al processing system. The software developer may however blame the sensor failure and the sensor failure may blame the real time connectivity. The final decision on who is responsible will depend on the Forensic evidence that includes the log records within the Car system and the central server if there was real time connectivity of the server with the Car navigation system.
The fault may also lie in the mechanical system of braking which could have also failed in a normal car. There is also an issue of what was the role of the man behind the wheels. There is a question on whether he had an opportunity to take control and prevent the accident and whether he failed to do so or whether the system of taking over the manual control failed to respond.
Current laws in India have a provision to deal with the action of automated software and attribute it to the “person who caused the software to operate automatically” (Section 11 of ITA 2000/8). This provision of “Attribution” was conceived to address the automated responses of servers such as acknowledging an e-mail.
On the other hand, the current Al context involves a circumstance when the “automatic operation” is related to ” Cognitive sensing” of an event and “taking real time decisions ” by the system as also ” generating an output action instruction” based on machine learning. This cannot be equated to the automated response of a server based on a set of decision rules.
One school of thought is that extending the “Principle of Attribution” to the Al scenario is stretching the current law a bit too far and the current laws must be considered inadequate to the Al scenario. Even the ability to interpret the electronic evidence necessary to be evaluated in this instance could be difficult given our earlier experiences with electronic evidence. As a result, convictions may be almost impossible under the current laws.
On the other hand, to meet the Al challenge of attribution, we may have to define “Automated Response” at two levels.
First being the “Reflexive Response” based on pre-determined decision rules input by a human being which is the default configuration of software.
The second could be the “Considered Response” where the machine learning has modified the earlier human set rules and created a new version of rules.
Law has to then decide how much of liability will be attributed to the “human negligence” in programming and how much to a “Technical failure beyond the control of humans”.
Further, in view of the multiple parties involved as in the case of the Uber incident, we may also have to define “Due Diligence” for each of the parties. Probably we may also have to fix “Joint and Several liability” for different stake holders such as the Al software developers, the “Sensors which feed data to the Al software”, the “Owners of the integrated devices”, the “Network service providers who carry the data in and out of the Al environment” etc.
The second instance that has been in discussion in recent days is the case of a Cambridge Analytica Face Book data usage controversy. This has two elements of law to contend with, one being the “Privacy Issue” and second being the status of a “Value addition process” for raw data.
In this case, there was an academician who collected data from Face Book users on a consent basis and processed it for conducting a psychometric analysis of the data subjects to arrive at some scientific hypothesis. This resulted in “Value added” information being generated out of the raw data.
This value added data was passed on by the researcher to a marketing firm namely Cambridge Analytica which could be also for the validation and testing of the hypothesis. However, this value added data was used for designing a marketing campaign for an election to determine what communication would make a citizen vote for a given candidate. Whether the hypothesis worked and contributed to a successful campaign or not is a subject matter of another research not connected with the current controversy.
There is now a charge that there has been a breach of privacy by Face Book which allowed the data to be used by the academician in a manner that was not in conformity with the consent given first to Face Book and then to the App owner.
The moot point is whether law should recognize that it was a due diligence requirement of Face Book, to have verified the source code of the App and check if the consent provided by the users to the App was exactly what the App was acting on. Whether this is reasonable for a “Social Media” and consistent with the media laws, has to be also determined.
The Current Privacy and data protection laws are designed for a situation where a human accesses personal data under consent and if he uses it for “Marketing” which may not be permitted in the consent, it is considered as a serious breach of Privacy.
On the other hand, in the Al scenario, the data is processed by an Al algorithm, which is a non- human entity. A non-human entity looking at the data is not necessarily to be considered as “Data Disclosure” for Privacy purpose. This non-human entity (Al algorithm) processes the data and draws some inference which may be correct or incorrect. The “inferred data” is similar to a “Pseudonymized Data” rather than “Real Data” . The humans may thereafter look at the data in the processed form which is not the raw data and take decisions including using the processed data for marketing. But the doubt remains whether they are actually using the raw data which is real or a processed data which is an inference which may be correct or incorrect. The disclosure of the inferred data may not therefore be considered as equivalent to disclosure of raw data.
In the emerging scenario where “Data is the New Oil”, it is not possible to eliminate the machines accessing personal data without a huge regression in the development of the society.
It may therefore be necessary for the Privacy laws under the Al scenario to re-define “Privacy Breach” which excludes the access of personal data by a computer even if the data is considered identifiable and also appreciate the concept of “Inferred data” being different from raw data and is more similar to pseudonymized data. Privacy Breach may however be recognized when “Data which is identifiable as belonging to a living person is accessed by another living person”. When a Computer hands over data to a human being in an “identifiable manner”, the recipient could be held responsible for its use as per consent or as per legal exceptions under which access is permitted without consent.
We therefore need to formulate a new law that is acceptable to the Pr ivacy activists and the Big data analytics industry by such re-definition of what is Privacy right and when is it considered as breached. The current laws may be considered inadequate to meet the Privacy requirements in the Al era.
Quantum Computing:
Another major technological development that has occurred in the recent years which is like ly to completely turn around all the concepts of Computerization which is embedded into our Cyber Law is “Quantum Computing”.
Quantum computing is considered to be capable of increasing the computing powers at exponential rate so that computing will become incredibly fast. The speed with which computing can be done in the Quantum computing (QC) scenario actually introduces a paradigm that may take “Artificial Intelligence applications” and “Big Data (BD) Analytics” to an entirely new level. As a result, there would be boosting of not only the speed of computing but also creation of new uses.
This AI-BD-QC combination would be so powerful that we will be in a generation that is far different from the current computing environment. When technology moves, it is essential that Cyber Law tries to catch up with the changes. If a proper attempt is not done now, Judiciary will fall so much short of expectations that it could become redundant.
This will give raise to a “Lawless society” where hackers and criminals will have a free rein without the fear of law. Hence there is a need to address this issue of keeping our cyber laws in pace with the technology.
Understanding Quantum Computing:
In terms of Computing, the Quantum Computing introduces two distinct changes to the system we are presently aware. One is called “Super positioning” and another is called “Entanglement”.
The current system of computing runs on the basis of ”Transistors” and ” Blocks of Data” which can be made to either carry a charge or not carry any charge. The data points can also be looked at as a series of light bulbs which is either “On” or “Off”. The transistors can be made to either allow electricity to pass through or not pass through and can be used as gates for data processing.
This technology is ideally suited for the system of “Binary” representation of data where any data point can be represented either as an “On” state or an “off” state as two of the binary representations.
On the flip side, every instruction in a binary computerization system has to be processed one step at a time. Each time the processor should be asked a question for which the answer is either Yes or No. As a result the speed of processing has a limitation in binary processing.
Similarly data has to be stored with each unit of storage (bit) and is capable of taking only one values either a zero or one at a time. This limits the amount of data that can be stored in a given resource.
In the Quantum bit scenario, each unit of data storage is called a “Quantum Bit” or a “Qubit”. The “Qubit” has a property of being able to take either Zero or one simultaneously. In other words each unit of data can take two positions “Zero” or “One”.
When multiple Qubits are used for data storage, the data storage capacity increases exponentially and holds larger amount of data.
It is interesting to note that while the same Qubit holds multiple values simultaneously, when it is invoked for measurement, it takes a specific value. This is a principle of Quantum Mechanics that states that when the state of an electron is measured, it takes a specific value but at other times it may be under an “Uncertain” state.
The second property of Quantum Computing which is called “Entanglement” is even more intriguing. This indicates that under certain conditions, two particles get “Entangled” in such a manner that any change of state in one of the entangled particle of the pair will automatically change the state of the other particle even if the two particles are physically separated and is not connected either by wire or by wireless communication that we know of today.
The “Entanglement” is a phenomenon which is not easy to comprehend and appears more like fiction. But it has been experimentally tested and it is proven that if one of the pair of the entangled particle is changed from value “O” to “l”, the partner particle also changes from its current state say of “1” to “O”. This means that bits can be remotely changed by manipulating one of the members of the pair . In other words, entangled particles can be transposed at a different physical location without directly making the changes.
The “Entanglement Property” will define a new kind of “Entangled Connectivity” like the wired connection through Ethernet, or an optical fiber or wireless connections through microwave or radio waves. Law may have to recognize this new “Entangled Connectivity” though it cannot be understood in any other known human experience.
It is therefore interesting to speculate how the law has to respond to the concept of “Super Positioning” and “Entanglement” in Quantum Computing scenario.
Challenges in Evidence presented by Quantum Computing
These Quantum properties have presently unknown potential to create issues in Cyber Forensics and Evidence gathering.
In the “Binary” method of computing used in Classical Computing, a “Bit” is in a defined state. Hence accepting it as “Evidence” is feasible despite the uncertainties discussed earlier arising out of the conversion of the binary impression into a humanly readable form with the use of intermediary software and hardware.
In Quantum computing, the Qubits will not be in any specific state . There will however be a “Probability” that it will be in a given state when measured and this “Probabilistic Value” is considered the “Real Value of the Bit”. It would be difficult to see how the current law can react to such a concept of a “Probabilistic Value”.
It is safer to say that current law will reject the concept that an electronic document can be created from Qubits which may be either in zero or one state at the same time but its probabilistic value is what comes out as a unit for creation of a sequence of bits which form a document.
Going into the future, Quantum Computing is expected to be used in back end processing along with Classical computing at the input and output end. In such an integrated system, the data processing will start from a classical computer, go through a quantum computer and again presented in a Classical computer.
As long as the end points of processing are controlled by classical computers, law can successfully handle the legality of electronic documents produced by such an integrated system by considering the Quantum Computing part to be part of the operating system which is an intermediary system.
In fact, Section 65B interpretation may still survive in the QC scenario since it focuses on the “Computer Output” as generated in the viewer’s computer and ignores the “Original Status” or the “Earlier operations that go behind the scene”.
However, in Cyber Forensics, the challenges do remain where the integrity of the quantum computing component is as important to be proved as the integrity of the classical computers that appear at each end of the transaction.
For example, if a given Qubit had a probabilistic value of 70% to be a “Zero” but the document indicates that the value was a “One”, a Forensic evaluator has to certify that it is possible that the Qubit can have a value of “One” in 30% of the time when the number of instances measured is large. If the sample size is not big enough, it is possible that the results appear to be different from the probabilistic values and the Forensic expert may have to justify what otherwise appears to be an anomaly.
At this point of time, it is difficult to envision what sort of Cyber Forensic tools will enable a Forensic evaluator to come to such conclusion with a level of certainty with which he can stand in a Court and make a statement under oath.
If in a cross examination today, if a witness says that the answer to a question is both yes and no, he would be chastised, but an expert in Quantum computing will always say there is X % probability that the answer is yes and Y % probability that the answer is Y but in any given single measurement, the result could be either X or Y.
Unless the Criminal Justice System is able to device methods by which the concept of “Proving beyond Reasonable Doubt” can be over ruled, no evidence in a QC scenario would be considered acceptable for criminal convictions.
The criminals in the QC era would be happy if the Law remains what it is today while the technology changes.
It is also possible that if a computer program has been constructed taking into account a certain probabilistic value of a Qubit and the actual value turns out to be different and therefore the software misbehaves. Fixing liability for such misbehavior of software could be the challenge that the future judiciary will face. It is precisely such instances which are occurrences beyond the 2 sigma level of probability that may make the fiction stories of a Humanoid Robot turning a rogue a reality. Hence Judiciary should be ready to handle such exceptions by creating a robust Cyber Law for the Future.
If we accept that Science can accept the theory of uncertainty, then law has to also follow suit. We can therefore see a futuristic scenario where if the electronic evidence has any trace of Quantum Computing, a different set of principles of Criminal Justice would be applicable which will accept “Proving within probabilistic certainty” is sufficient to convict a person.
This is an example of why we should “Unlearn, shred and shed” some of our current strong beliefs if we want to face the techno legal challenges of the coming days.
This Article has been written by Na.Vijayashankar, Cyber Security and Cyber Law Consultant, Bengaluru.