The government’s proposed legislation on cyber cafés is misplaced.
At the outset, thanks to both @PRSLegislative and @_R_Srikanth for alerting me to a draft legislation put forward by the Department of Information Technology (DIT) on governing the workings of cyber cafés in India. The government has published the draft legislation and sought feedback from citizens, by February 28, 2011. A copy of the draft legislation is available here.
PRSLegislative summarizes the legislation thus:
The draft regulations requires every cyber café to have a license and give internet access to people after they prove their identity to the satisfaction of the cyber café. The cyber cafés are required to maintain the logs of users and of websites accessed by users. Cyber cafés are also required to ensure that their service is not utilised by people for any illegal activity or for viewing pornography. There are requirements on the physical layout of the cyber café — for example, they need to prominently display a board stating that users may not view pornography. [PRSLegislative]
There are several issues with the government’s proposal, of which some are articulated below (those concerned about the proposed legislation are encouraged to respond to DIT directly via the email address provided in PRSLegislative’s blog):
The first question that such a proposed legislation raises is one of objectives. I.e., what does the government hope to achieve by seeing the implementation of the security provisions in the proposed legislation? If the idea is essentially one pertaining to national security — i.e., denying vulnerable systems or networks to individuals who can use them to aid in plotting against the nation, then some security prescriptions outlined appear incongrous to this objective (more on them later).
Second, while the government’s desire to establish the identity of individuals using the café’s wireless network can certainly be appreciated, the proposed legislation does not account for the fact that individuals visiting cyber cafés may just as easily use their own laptops — either within the premises of the cyber café, or in its vicinity (with or without the permission or knowledge of the owners, depending on how wireless access points are set up).
Third, unless the government is reasonably sure that none of India’s 81 million Internet users access “obscene” material or pornography within the confines of their homes, or that the government fully expects to track, identify and fully prosecute everyone that does, expecting cyber cafés to warn or to otherwise deter accessing whatever the government may consider “obscene” (not defined) is beyond ridiculous.
The question of whether or not a democratic government should have the right to dictate to its citizens, under whose consent it governs, as to what they can or cannot see is another issue (for the record, no it shouldn’t). Again, the question here is about objectives. If this is about national security, then this particular provision conflicts with the overall objective of the proposed legislation.
Next, how does the government plan to monitor cyber cafés to ensure they comply with the required standards? The Cyber Café Association of India itself has a membership of 180,000 cyber cafés and 40,000 Internet kiosks. It is safe to assume that the entire population of cyber cafés in India is considerably larger. Unless the government has adequate financial and manpower resources to regularly ensure compliance, the legislation becomes meaningless.
Further, whenever physical or logical security requirements are mandated, there are costs associated with them. These will have to be borne by the cyber cafés (who will need to invest time and money in installing and monitoring services) and by the government (to ensure that standards are being adhered to). Additionally, cyber cafés will need to obtain a license (unsure if these are different from the licenses that cyber cafés are already required to obtain), which, no doubt, will have costs associated with it, which eventually will be passed on to their patrons.
The whole point of security, however, is that it must be an enabler, not a deterrent to business. Some of the provisions articulated in the proposed legislation are indeed laudable (the intent to protect minors, deter terrorists and their collaborators, etc.), however, when taken as a whole, the proposed legilation will have a negative impact on cyber cafés in India. Especially if the government is unclear about the raison d’être for this legislation and doesn’t really have any desire or ability to enforce the provisions of the legislation.
It will be an example of a clueless GoI chasing its own tail, and unfortunately, not for the first time.