While attempting to understand the provisions of the Indian Information Technology Act 2000, it is important to remember that the legislation is, first and foremost, electronic commerce legislation. When the very first draft version was prepared it was called the Electronic Commerce Bill, in keeping with the prime objectives and duly referring to the Ministry of Commerce, from where it came. With the subsequent creation of the Ministry of Information Technology, the draft Bill was re-christened with the rather generic title of the Indian Information Technology Bill. The raison d'etre was the same – 'functional equivalence' that electronic records and transactions would be accorded an equal weight in evidence law as traditional paper records.

Crimes must be distinguished or be capable of distinction based on whether they are crimes relating to the machine (the computer or any other electronic device) or crimes relating to the medium (the internet). What is the role of the medium vis-a-vis the crime? In this realm, education plays a major role. Law enforcement needs desperately to understand the ingredients of a crime in the new medium. The police need to be educated to know that not every offence involving a computer is a cyber crime. For one, the term 'cyber crime' is not defined in the Act. There are numerous crimes, such as 'cyber blackmail' and 'cyberstalking' where either the medium is merely incidental to or plays a part in enhancing the crime; but where nonetheless traditional law would hold strong and fast. What is needed is perhaps an urgency to classify computer offences, and also review offence provisions under national intellectual property (IP) laws; so that all IP statutes are in sync with the Information Technology Act.

It is important to remember that the internet is principally a medium which can be regulated by regulating its 'layers'. To be effective a law must apply to (or regulate) one or more 'layer' – (a) the physical (the wires, hardware, the 'device' itself); (b) the digital (the code or the 'spectrum'); or (c) content (whether prohibited socially censored comments or proprietary material).

The proposed amendments to the Information Technology Act are, to a measurable extent, a reaction to recent developments (service provider liability issues and auction sites; sleazy multimedia message service clips and the like). Offences under the Act have been made compoundable; that is to say, the parties can compound (aggravate) the case and settle it between themselves. This is welcome as most crimes target specific individuals and it is right for individuals to sort out the situation.

The problem remains with ambiguous phrases. For instance, the amended section 43 (2) makes it mandatory for companies to include "reasonable security measures" while handling data. Precisely what the term 'reasonable' indicates is anyone's guess.

The Act provides for essentially economic offences or crimes in the medium that are linked to economic loss or detriment. The Government would do well to take a proverbial leaf from the Organisation for Economic Co-operation and Development's Guidelines on Cybercrime and the Council of Europe's Convention on Cybercrime. Social offences like pornography, when included, are superfluous due to the existing provisions in the Indian Penal Code. Neither has the language or expression changed from 1860. We, in line with Thomas Macaulay's criminal laws system introduced under British rule, do outlaw that which is "lascivious" or which "appeals to prurient interest"; reaffirming that nothing has changed in 145 years. The inclusion of a provision banning child pornography could well be a case of 'over-legislation' considering the existing blanket ban on pornography per se; both in the Information Technology Act 2000, as well as the Indian Penal Code 1860.

The amendments ignore existing international classifications of cyber crimes. The Council of Europe's Convention on Cybercrime identifies the following as offences which should be incorporated into substantive criminal law; some of the provisions are particularly relevant:

- offences against the confidentiality, integrity and availability of computer data and systems;

- illegal access;

- illegal interception;

- data interference;

- computer-related offences;

- computer-related fraud;

- content-related offences;

- racial hatred, obscenity, among other classifications;

- offences related to infringements of copyright and related rights (Title 4); and

- offences related to infringements of copyright and related rights (Art. 10).

Chapter II of the Convention goes on to canvass procedural matters such as collection and preservation of evidence, production orders, search and seizure, data interception and jurisdictional issues. Chapter III deals with mechanisms for international cooperation.

While the amended version of the Act strengthens provisions on confidentiality and data privacy, the inclusion of a solitary provision on data privacy is quite in contrast to Europe where data protection provisions are enshrined in directives at the European Union (EU) level and in national legislation. In fact, data protection is sine qua non for EU candidate status. 'Data subjects' must have rights enshrined in explicit rules with a detailed enforcement mechanism rather than relying on a lone section to do the task of an entire legislation. Only a detailed data protection law is needed, not merely for the IT industry but for the citizens on India. The right to know, balanced with the right to privacy, is the hallmark of a democracy.