Report On 12 Years of The Information Technology Act

Report on 12 years of the
Information Technology Act

17th October, 2012
Rohas Nagpal
Asian School of Cyber Laws
This document may be reproduced and distributed freely

but may not be modified. Attribution is mandatory.
1|Page
w
www.asianlaws.org
Follow Asian School of Cyber Laws on facebook:

https://www.facebook.com/asianschoolofcyberlaws
2|Page
Published in 2012 by Asian School of Cyber Laws.

Copyright 2012 by Rohas Nagpal. All rights reserved.
This document may be reproduced and distributed freely
but may not be modified. Attribution is mandatory.
No investigation has been made of common-law trademark
rights in any word. Words that are known to have current
trademark registrations are shown with an initial capital and
are also identified as trademarks.
The inclusion or exclusion of any word, or its capitalization, in
this book is not, however, an expression of the publisher's
opinion as to whether or not it is subject to proprietary rights,
nor is it to be regarded as affecting the validity of any
trademark.
This book is provided "as is" and Asian School of Cyber Laws
makes no representations or warranties, express or implied
either in respect of this book or the software, websites and
other information referred to in this book.
By way of example, but not limitation, Asian School of Cyber
Laws makes no representations or warranties of
merchantability or fitness for any particular purpose or that
the use of licensed software, database or documentation will
not infringe any third party patents, copyrights, trademarks or
other rights.
Printed in India
3|Page
The chosen case scenarios are for instructional purposes

only and any association to an actual case and litigation is
purely coincidental. Names and locations presented in the
case scenarios are fictitious and are not intended to reflect
actual people or places.
Reference herein to any specific commercial products,

processes, or services by trade name, trademark,
manufacturer, or otherwise does not constitute or imply its
endorsement, recommendation, or favoring by Asian School
of Cyber Laws, and the information and statements shall not
be used for the purposes of advertising.
4|Page
Contents
1. Chronological Development of Indian Cyber Law ...................... 7

2. Real World Cases ................................................................................... 17
1. Social networking sites related cases ....................................... 17
2. Email Account Hacking................................................................... 20
3. Credit Card Fraud ............................................................................. 22
4. Online Share Trading Fraud ......................................................... 23
5. Tax Evasion and Money Laundering ......................................... 25
6. Source Code Theft............................................................................. 27
7. Theft of Confidential Information .............................................. 30
8. Software Piracy.................................................................................. 32
9. Music Piracy ........................................................................................ 34
10. Email Scams...................................................................................... 36
11. Phishing.............................................................................................. 37
12. Cyber Pornography ....................................................................... 39
13. Online Sale of Illegal Articles ..................................................... 40
14. Use of Internet and Computers by Terrorists .................... 42
15. Virus Attacks .................................................................................... 44
16. Web Defacement ............................................................................ 46
5|Page
3. Important Case Law under Information Technology Act ..... 48

1. ATMs - Computers or not? ............................................................ 48
2. Jurisdiction issues for Electronic Contracts ........................... 50
3. Source code issues in cell phone unlocking ........................... 54
4. Liability of CEO of company under anti-porn law ............... 60
4. Role of Asian School of Cyber Laws in the development of
Cyber Law ...................................................................................................... 63
5. Information Technology Act as amended from time to time
with brief comments ................................................................................. 64
6.About the author ................................................................................... 174
6|Page
ONE
1. Chronological Development of Indian Cyber Law

The outline of the chronological development of Indian cyber
laws is as below:
Year
2000
Development
1. Information Technology Act, 2000 came into force
2. Indian Penal Code, 1860 amended
3. Indian Evidence Act, 1872 amended
4. Bankers Book Evidence Act, 1879 amended
5. Reserve Bank of India Act, 1934 amended
6. Information Technology (Certifying Authorities)
Rules, 2000 came into force
7. Cyber Regulations Appellate Tribunal (Procedure)
Rules, 2000 came into force
2001
Information Technology (Certifying Authority)

Regulations, 2001 came into force
2002
1. Executive Order issued
7|Page
2. Guidelines for submission of certificates and

certification revocation lists to the Controller of
Certifying Authorities for publishing in National
Repository of Digital Certificates issued.
3. Information Technology (Removal of Difficulties)
Order, 2002 passed.
4. The Information Technology Act was amended by
the Negotiable Instruments (Amendments and
Miscellaneous Provisions) Act, 2002.
2003
1. Information Technology (Qualification and

Experience of Adjudicating Officers and Manner of
Holding Enquiry) Rules, 2003 were passed.
2. Cyber Regulations Appellate Tribunal (Salary,
Allowances and other terms and conditions of service of
Presiding Officer) Rules, 2003 were passed.
3. Information Technology (Other powers of Civil Court
vested in Cyber Appellate Tribunal) Rules 2003 were
passed.
4. Information Technology (Other Standards) Rules,
2003 passed.
5. The Information Technology (Certifying Authorities)
Rules, 2000 were amended.
2004
1. Information Technology (Use of Electronic Records

and Digital Signatures) Rules, 2004 passed.
2. The Information Technology (Security Procedure)
Rules, 2004 passed.
8|Page
3. The Information Technology (Certifying Authorities)

2006
The Information Technology (Certifying Authorities)

2009
1. The Information Technology (Amendment) Act, 2008

came into force.
2. Information Technology (Procedure and Safeguards
for Interception, Monitoring and Decryption of
Information) Rules, 2009 passed.
3. Information Technology (Procedure and Safeguard
for Monitoring and Collecting Traffic Data or
Information) Rules, 2009 passed.
4. Information Technology (Procedure and Safeguards
for Blocking for Access of Information by Public) Rules,
2009 passed.
5. The Cyber Appellate Tribunal (Salary, Allowances
and Other Terms and Conditions of Service of
Chairperson and Members) Rules, 2009 passed.
6. Cyber Appellate Tribunal (Procedure for
Investigation of Misbehaviour or Incapacity of
Chairperson and Members) Rules, 2009 passed.
The Information Technology (Certifying Authorities)
2011
9|Page
1. Information Technology (Reasonable security

practices and procedures and sensitive personal data or
information) Rules, 2011 passed.
2. Information Technology (Intermediaries guidelines)

Rules, 2011 passed.
3. Information Technology (Electronic Service Delivery)
Rules, 2011 passed.
A brief explanation of these developments is mentioned below:
2000
The primary source of cyber law in India is the Information
Technology Act, 2000 (hereinafter referred to Information
Technology Act) which came into force on 17th October 2000.
The primary purpose of the Information Technology Act is to
provide legal recognition to electronic commerce and to
facilitate filing of electronic records with the Government.
The Information Technology Act also penalizes various cyber
crimes and provides strict punishments (imprisonment terms
upto 10 years and compensation up to crores of rupees).
The Indian Penal Code (as amended by the Information
Technology Act) penalizes several cyber crimes. These include
forgery of electronic records, cyber frauds, destroying
electronic evidence etc.
Digital Evidence is to be collected and proven in court as per
the provisions of the Indian Evidence Act (as amended by the
Information Technology Act).
10 | P a g e
In case of bank records, the provisions of the Bankers Book

Evidence Act (as amended by the Information Technology Act)
are relevant.
Investigation and adjudication of cyber crimes is done in
accordance with the provisions of the Code of Criminal
Procedure, Civil Procedure Code and the Information Technology
Act.
The Reserve Bank of India Act was also amended by the
Information Technology Act.
On 17th October 2000, the Information Technology (Certifying
Authorities) Rules, 2000 also came into force. These rules
prescribe the eligibility, appointment and working of Certifying
Authorities. These rules also lay down the technical standards,
procedures and security methods to be used by a Certifying
Authority.
The Cyber Regulations Appellate Tribunal (Procedure) Rules,
2000 also came into force on 17th October 2000.
These rules prescribe the appointment and working of the
Cyber Regulations Appellate Tribunal whose primary role is to
hear appeals against orders of the Adjudicating Officers.
2001:
Information Technology (Certifying Authority) Regulations, 2001
came into force on 9th July 2001. They provide further technical
standards and procedures to be used by a Certifying Authority.
Two important guidelines relating to Certifying Authorities
were issued. The first are the Guidelines for submission of
11 | P a g e
application for license to operate as a Certifying Authority

under the Information Technology Act. These guidelines were
issued on 9th July 2001.
2002:
An Executive Order dated 12th September 2002 contained
instructions relating provisions of the Act with regard to
protected systems and application for the issue of a Digital
Signature Certificate.
Next were the Guidelines for submission of certificates and
certification revocation lists to the Controller of Certifying
Authorities for publishing in National Repository of Digital
Certificates. These were issued on 16th December 2002.
Minor errors in the Act were rectified by the Information
Technology (Removal of Difficulties) Order, 2002 which was
passed on 19th September 2002.
The Information Technology Act was amended by the
Negotiable Instruments (Amendments and Miscellaneous
Provisions) Act, 2002. This introduced the concept of electronic
cheques and truncated cheques.
2003:
On 17th March 2003, the Information Technology (Qualification
and Experience of Adjudicating Officers and Manner of Holding
Enquiry) Rules, 2003 were passed.
These rules prescribe the qualifications required for
Adjudicating Officers. Their chief responsibility under the IT
Act is to adjudicate cases such as unauthorized access,
12 | P a g e
unauthorized copying of data, spread of viruses, denial of

service attacks, disruption of computers, computer
manipulation etc.
These rules also prescribe the manner and mode of inquiry and
adjudication by these officers.
The appointment of adjudicating officers to decide the fate of
multi-crore cyber crime cases in India was the result of the
Public Interest Litigation (PIL) filed by students of Asian School
of Cyber Laws (ASCL)1.
The Government had not appointed Adjudicating Officers or
the Cyber Regulations Appellate Tribunal for almost 2 years
after the passage of the IT Act. This prompted ASCL students to
file a Public Interest Litigation (PIL) in the Bombay High Court
asking for a speedy appointment of Adjudicating officers.
The Bombay High Court, in its order dated 9th October 2002,
directed the Central Government to announce the appointment
of adjudicating officers in the public media to make people
aware of the appointments. The division bench of the Mumbai
High Court consisting of Honble Justice A.P. Shah and Honble
Justice Ranjana Desai also ordered that the Cyber Regulations
Appellate Tribunal be constituted within a reasonable time
frame.
Following this, the Central Government passed an order dated
23rd March 2003 appointing the Secretary of Department of
Information Technology of each of the States or of Union
Territories of India as the adjudicating officers.
1
Vishal Kumar & Others vs Union of India & Others (Case no PIL 61/02)
13 | P a g e
The Cyber Regulations Appellate Tribunal (Salary, Allowances

and other terms and conditions of service of Presiding Officer)
Rules, 2003 prescribe the salary, allowances and other terms
for the Presiding Officer of the Cyber Regulations Appellate
Tribunal.
Information Technology (Other powers of Civil Court vested in
Cyber Appellate Tribunal) Rules 2003 provided some additional
powers to the Cyber Regulations Appellate Tribunal.
Also relevant are the Information Technology (Other Standards)
Rules, 2003. An important order relating to blocking of
websites was passed on 27th February, 2003. Under this,
Computer Emergency Response Team (CERT-IND) can instruct
Department of Telecommunications (DOT) to block a website.
The Information Technology (Certifying Authorities) Rules, 2000
were amended.
2004:
Information Technology (Use of Electronic Records and Digital
Signatures) Rules, 2004 have provided the necessary legal
framework for filing of documents with the Government as
well as issue of licenses by the Government. It also provides for
payment and receipt of fees in relation to Government bodies.
The Information Technology (Security Procedure) Rules, 2004
came into force on 29th October 2004. They prescribe
provisions relating to secure digital signatures and secure
electronic records.
14 | P a g e

were amended.
2006:
were amended.
2009:
The Information Technology (Amendment) Act, 2008, which
came into force on 27th October, 2009 has made sweeping
changes to the Information Technology Act.
The following rules have also come into force on 27th October,
2009:
(1) Information Technology (Procedure and Safeguards for
Interception, Monitoring and Decryption of Information) Rules,
2009.
(2) Information Technology (Procedure and Safeguard for
Monitoring and Collecting Traffic Data or Information) Rules,
2009.
(3) Information Technology (Procedure and Safeguards for
Blocking for Access of Information by Public) Rules, 2009.
(4) The Cyber Appellate Tribunal (Salary, Allowances and Other
Terms and Conditions of Service of Chairperson and Members)
Rules, 2009
15 | P a g e
(5) Cyber Appellate Tribunal (Procedure for Investigation of

Misbehaviour or Incapacity of Chairperson and Members) Rules,
2009.
were amended.
2011
Information Technology (Reasonable security practices and
procedures and sensitive personal data or information) Rules,
2011 passed. These rules define sensitive personal data or
information and form the crux of India's data privacy law.
Information Technology (Intermediaries guidelines) Rules, 2011
passed. These rules explain the due diligence to be observed by
intermediaries.
Information Technology (Electronic Service Delivery) Rules, 2011
passed. These rules relate to the system of Electronic Service
Delivery by the Government.
16 | P a g e
TWO
2. Real World Cases
1. Social networking sites related cases

Social networking sites like Orkut and Facebook are very
popular nowadays. Users of such sites can search for and
interact with people who share the same hobbies and interests.
The profiles of such users are usually publicly viewable.
Scenario 1:
A fake profile of a woman is created on a social networking
site. The profile displays her correct name and contact
information (such as address, residential phone number, cell
phone number etc). Sometimes it even has her photograph. The
problem is that the profile describes her as a prostitute or a
woman of loose character who wants to have sexual relations
with anyone. Other members see this profile and start calling
her at all hours of the day asking for sexual favours. This leads
to a lot of harassment for the victim and also defames her.
Usual motives: Jealousy or revenge (e.g. the victim may have
rejected the advances made by the suspect).
17 | P a g e
Applicable law
Before 27 October, 2009
After 27 October, 2009
Section 67 of the Information Sections 66A and 67 of the

Technology Act and section Information Technology Act
509 of Indian Penal Code
and section 509 of Indian
Penal Code
Scenario 2:
An online hate community is created. This community
displays objectionable information against a particular country,
religious or ethnic group or even against national leaders and
historical figures.
Usual motives: Desire to cause racial hatred and communal
discord and disharmony.
Applicable law
Section 153A & 153B of Section 66A of the Information

Indian Penal Code
Technology Act and sections
153A & 153B of Indian Penal
Code
18 | P a g e
Scenario 3:
A fake profile of a man is created on Orkut. The profile
contains defamatory information about the victim (such as his
alleged sexual weakness, alleged immoral character etc).
Usual motives: Hatred (e.g. a school student who has failed
may victimize his teachers).
Applicable law
Section 500 of Indian Penal Section 66A of the Information

Code
Technology Act and section
500 of Indian Penal Code
19 | P a g e
2. Email Account Hacking

Emails are increasingly being used for social interaction,
business communication and online transactions. Most email
account holders do not take basic precautions to protect their
email account passwords. Cases of theft of email passwords
and subsequent misuse of email accounts are becoming very
common.
Scenario 1:
The victims email account password is stolen and the account
is then misused for sending out malicious code (virus, worm,
Trojan etc) to people in the victims address book. The
recipients of these viruses believe that the email is coming
from a known person and run the attachments. This infects
their computers with the malicious code.
Usual motives: Corporate espionage or a perverse pleasure in
being able to destroy valuable information belonging to
strangers etc.
Applicable law
Sections 43 and 66 of the Sections 43, 66, 66A and 66C

of the Information Technology
Act
20 | P a g e
Scenario 2:
The victims email account password is stolen and the hacker
tries to extort money from the victim. The victim is threatened
that if he does not pay the money, the information contained in
the emails will be misused.
Usual motives: Illegal financial gain.
Applicable law
Sections 43 and 66 of the Sections 43, 66, 66A & 66C of

the Information Technology
Act
Scenario 3:
The victims email account password is stolen and obscene
emails are sent to people in the victims address book.
Applicable law
Sections 43, 66 and 67of the Section 43, 66, 66A and 67 of
Act Additionally, depending
upon the content, sections 66C
and 67B of the Information
Technology Act may also apply
21 | P a g e
3. Credit Card Fraud

Credit cards are commonly being used for online booking of
airline and railway tickets and for other ecommerce
transactions. Although most ecommerce websites have
implemented strong security measures (such as SSL, secure
web servers etc), instances of credit card frauds are increasing.
In credit card fraud cases, the victims credit card information
is stolen and misused for making online purchases (e.g. airline
tickets, software, subscription to pornographic websites etc).
Modus Operandi 1: The suspect would install keyloggers in
public computers (such as cyber cafes, airport lounges etc) or
the computer of the victim. Unsuspecting victims would use
these infected computers to make online transactions. The
credit card information of the victim would be emailed to the
suspect.
Modus Operandi 2: Petrol pump attendants, workers at retail
outlets, hotel waiters etc note down information of the credit
cards used for making payment at these establishments. This
information is sold to criminal gangs that misuse it for online
frauds.
Usual motives: Illegal financial gain
Applicable law
Sections 43 and 66 of the

Information Technology Act and
section 420 of Indian Penal Code
Sections 43, 66, 66C, 66D of the

Information Technology Act and
section 420 of Indian Penal Code
22 | P a g e
4. Online Share Trading Fraud

With the advent of dematerialization of shares in India, it has
become mandatory for investors to have demat accounts. In
most cases, an online banking account is linked with the share
trading account. This has led to a large number of online share
trading frauds.
Scenario 1:
The victims account passwords are stolen and his accounts are
misused for making fraudulent bank transfers.
Usual motives: Illegal financial gain
Applicable law

Penal Code
Sections 43, 66, 66C & 66D of

Act and section 420 of Indian
Penal Code
Scenario 2:
The victims account passwords are stolen and his share
trading accounts are misused for making unauthorised
transactions that result in the victim making losses.
Usual motives: Revenge, jealousy, hatred.
23 | P a g e
Applicable law

Penal Code
Sections 43, 66, 66C & 66D of

Act and section 426 of Indian
Penal Code
Modus Operandi:
The suspect would install keyloggers in public computers (such
as cyber cafes, airport lounges etc) or the computer of the
victim. Unsuspecting victims would use these infected
computers to login to their online banking and share trading
accounts. The passwords and other information of the victim
would be emailed to the suspect.
24 | P a g e
5. Tax Evasion and Money Laundering

Many unscrupulous businessmen and money launderers
(havala operators) are using virtual as well as physical storage
media for hiding information and records of their illicit
business.
Scenario 1:
The suspect uses physical storage media for hiding the
information e.g. hard drives, floppies, USB drives, mobile phone
memory cards, digital camera memory cards, CD ROMs, DVD
ROMs, iPods etc.
Applicable law

usually does not apply.
Applicable laws are usually
the Income Tax Act and the
Prevention
of
Money
Laundering Act.

Prevention
of
Money
Laundering Act.
Scenario 2:
The suspect uses virtual storage media for hiding the
information e.g. email accounts, online briefcases, FTP sites,
Gspace etc.
25 | P a g e
Applicable law

Prevention
of
Money
Laundering Act.

Prevention
of
Money
Laundering Act.
26 | P a g e
6. Source Code Theft

Computer source code is the most important asset of software
companies. Simply put, source code is the programming
instructions that are compiled into the executable files that are
sold by software development companies.
As is expected, most source code thefts take place in software
companies. Some cases are also reported in banks,
manufacturing companies and other organizations that get
original software developed for their use.
Scenario 1:
The suspect (usually an employee of the victim) steals the
source code and sells it to a business rival of the victim.
Modus Operandi: If the suspect is an employee of the victim,
he would usually have direct or indirect access to the source
code. He would steal a copy of the source code and hide it using
a virtual or physical storage device. If the suspect is not an
employee of the victim, he would hack into the victims servers
to steal the source code. Or he would use social engineering to
get unauthorised access to the code. He would then contact
potential buyers to make the sale.
27 | P a g e
Applicable law
Sections 43, 65 & 66 of the

and section 63 of Copyright
Act
Sections 43, 65, 66 & 66B of

Act and section 63 of
Copyright Act
Scenario 2:
The suspect (usually an employee of the victim) steals the
source code and uses it as a base to make and sell his own
version of the software.
Modus Operandi: If the suspect is an employee of the victim,
he would usually have direct or indirect access to the source
code. He would steal a copy of the source code and hide it using
a virtual or physical storage device. If the suspect is not an
employee of the victim, he would hack into the victims servers
to steal the source code. Or he would use social engineering to
get unauthorised access to the code.
He would then modify the source code (either himself or in
association with other programmers) and launch his own
software.
28 | P a g e
Applicable law
Sections 43, 65 & 66 of the

Act
Sections 43, 65, 66 & 66B of

Act and section 63 of
Copyright Act
29 | P a g e
7. Theft of Confidential Information

Most business organizations store their sensitive information
in computer systems. This information is targeted by rivals,
criminals and sometimes disgruntled employees.
Scenario 1:
A business rival obtains the information (e.g. tender
quotations, business plans etc) using hacking or social
engineering. He then uses the information for the benefit of his
own business (e.g. quoting lower rates for the tender).
Applicable law
Sections 43 & 66 of the

Penal Code
Sections 43, 66 & 66B of the

Penal Code
Scenario 2:
A criminal obtains the information by hacking or social
engineering and threatens to make the information public
unless the victim pays him some money.
30 | P a g e
Applicable law

Penal Code
Sections 43, 66 & 66B of the

Penal Code
Scenario 3:
A disgruntled employee steals the information and mass mails
it to the victims rivals and also posts it to numerous websites
and newsgroups.
Usual motives: Revenge.
Applicable law

Penal Code
Sections 43, 66, 66B of the

Penal Code
31 | P a g e
8. Software Piracy
Many people do not consider software piracy to be theft. They
would never steal a rupee from someone but would not think
twice before using pirated software. There is a common
perception amongst normal computer users to not consider
software as property. This has led to software piracy
becoming a flourishing business.
Scenario 1:
The software pirate sells the pirated software in physical media
(usually CD ROMs) through a close network of dealers.
Modus Operandi: The suspect uses high speed CD duplication
equipment to create multiple copies of the pirated software.
This software is sold through a network of computer hardware
and software vendors.
Applicable law
Section 43 & 66 of the

Act

Act
32 | P a g e
Scenario 2:
The software pirate sells the pirated software through
electronic downloads through websites, bulletin boards,
newsgroups, spam etc.
Modus Operandi: The suspect registers a domain name using
a fictitious name and then hosts his website using a service
provider that is based in a country that does not have cyber
laws. Such service providers do not divulge client information
to law enforcement officials of other countries.
Applicable law

Act

Act
33 | P a g e
9. Music Piracy
Many people do not consider music piracy to be theft. They
would never steal a rupee from someone but would not think
twice before buying or using pirated music. There is a common
perception amongst people that music is not property. There
is a huge business in music piracy. Thousands of unscrupulous
businessmen sell pirated music at throw away prices.
Scenario 1:
The music pirate sells the pirated music in physical media
(usually CD ROMs) through a close network of dealers.
Modus Operandi: The suspect uses high speed CD duplication
equipment to create multiple copies of the pirated music. This
music is sold through a network of dealers.
Applicable law

Act

Act
34 | P a g e
Scenario 2:
The music pirate sells the pirated music through electronic
downloads through websites, bulletin boards, newsgroups,
spam emails etc.
a fictitious name and then hosts his website using a service
provider that is based in a country that does not have cyber
laws. Such service providers do not divulge client information
to law enforcement officials of other countries.
Applicable law

Act

Act
35 | P a g e
10. Email Scams

Emails are fast emerging as one of the most common methods
of communication in the modern world. As can be expected,
criminals are also using emails extensively for their illicit
activities.
In the first step, the suspect convinces the victim that the
victim is going to get a lot of money (by way of winning a
lottery or from a corrupt African bureaucrat who wants to
transfer his ill gotten gains out of his home country). In order
to convince the victim, the suspect sends emails (some having
official looking documents as attachments).
Once the victim believes this story, the suspect asks for a small
fee to cover legal expenses or courier charges. If the victim
pays up the money, the suspect stops all contact.
Usual motive: Illegal financial gain.
Applicable law
Section 420 of Indian Penal Sections 66A and 66D of the

Code
Penal Code
36 | P a g e
11. Phishing
With the tremendous increase in the use of online banking,
online share trading and ecommerce, there has been a
corresponding growth in the incidents of phishing being used
to carry out financial frauds.
Phishing involves fraudulently acquiring sensitive information
(e.g. passwords, credit card details etc) by masquerading as a
trusted entity.
Scenario:
The victim receives an email that appears to have been sent
from his bank. The email urges the victim to click on the link in
the email. When the victim does so, he is taken to a secure
page on the banks website.
The victim believes the web page to be authentic and he enters
his username, password and other information. In reality, the
website is a fake and the victims information is stolen and
misused.
fictitious details. The domain name is usually such that can be
misused for spoofing e.g. Noodle Bank has its website at
www.noodle.com The suspect can target Noodle customers
using
a
domain
name
like
www.noodle-bankcustomerlogin.com
The suspect then sends spoofed emails to the victims e.g. the
emails may appear to come from info@noodle.com
37 | P a g e
The fake website is designed to look exactly like the original

website.
Applicable law
Section 43 & 66 of the Sections 66, 66A & 66D of the

Information Technology Act Information Technology Act
and sections 419, 420 & 468 and sections 419, 420 & 468
of Indian Penal Code
of Indian Penal Code
38 | P a g e
12. Cyber Pornography

Cyber pornography is believed to be one of the largest
businesses on the Internet today. The millions of pornographic
websites that flourish on the Internet are testimony to this.
While pornography per se is not illegal in many countries, child
pornography is strictly illegal in most nations today. Cyber
pornography includes pornographic websites, pornographic
magazines produced using computers (to publish and print the
material) and the Internet (to download and transmit
pornographic pictures, photos, writings etc).
Scenario: The suspect accepts online payments and allows
paying customers to view / download pornographic pictures,
videos etc from his website.
fictitious details and hosts a website on a server located in a
country where cyber pornography is not illegal. The suspect
accepts online payments and allows paying customers to view
/ download pornographic pictures, videos etc from his website.
Applicable law
Section 67 of the Information Section 67 of the Information

Technology Act
Technology Act and depending
upon the content, sections
67A and 67B may also apply
39 | P a g e
13. Online Sale of Illegal Articles

It is becoming increasingly common to find cases where sale of
narcotic drugs, weapons, wildlife etc. is being facilitated by the
Internet. Information about the availability of the products for
sale is being posted on auction websites, bulletin boards etc.
Scenario:
The suspect posts information about the illegal sale that he
seeks to make. Potential customers can contact the seller using
the email IDs provided. If the buyer and seller trust each other
after their email and / or telephonic conversation, the actual
transaction can be concluded. In most such cases the buyer and
seller will meet face to face only at the time of the final
transaction.
Illustration: In March 2007, the Pune rural police
cracked down on an illegal rave party and arrested
hundreds of illegal drug users. The social networking
site, Orkut.com, is believed to be one of the modes of
communication for gathering people for the illegal
drug party.
Modus Operandi: The suspect creates an email ID using
fictitious details. He then posts messages, about the illegal
products, in various chat rooms, bulletin boards, newsgroups
etc. Potential customers can contact the seller using the email
IDs provided.
40 | P a g e
Applicable law

Depending upon the illegal
items being transacted in, the
following may apply: Narcotic
Drugs
and
Psychotropic
Substances Act, Arms Act,
Indian Penal Code, Wildlife
related laws etc

Depending upon the illegal
items being transacted in, the
following may apply: Narcotic
Drugs
and
Psychotropic
Substances Act, Arms Act,
Indian Penal Code, Wildlife
related laws etc
41 | P a g e
14. Use of Internet and Computers by Terrorists

Many terrorists are using virtual as well as physical storage
media for hiding information and records of their illicit
business. They also use emails and chat rooms to communicate
with their counterparts around the globe.
Scenario:
The suspects carry laptops wherein information relating to
their activities is stored in encrypted and password protected
form. They also create email accounts using fictitious details. In
many cases, one email account is shared by many people.
E.g. one terrorist composes an email and saves it in the draft
folder. Another terrorist logs into the same account from
another city / country and reads the saved email. He then
composes his reply and saves it in the draft folder. The emails
are not actually sent. This makes email tracking and tracing
almost impossible.
Terrorists also use physical storage media for hiding the
information e.g. hard drives, floppies, USB drives, mobile phone
memory cards, digital camera memory cards, CD ROMs, DVD
ROMs, iPods etc. They also use virtual storage media for hiding
the information e.g. email accounts, online briefcases, FTP sites,
Gspace etc.
Modus Operandi: The terrorists purchase small storage
devices with large data storage capacities. They also purchase
and use encryption software. The terrorists may also use free
or paid accounts with online storage providers.
42 | P a g e
Usual motives: Keeping terrorism related information

confidential; securing communication amongst terrorist group
members.
Applicable law
Apart
from
conventional
terrorism laws, section 69 of
Act may apply
Apart
from
conventional
terrorism laws, section 69 of
Act may apply
43 | P a g e
15. Virus Attacks

Computer viruses are malicious programs that destroy
electronic information. As the world is increasingly becoming
networked, the threat and damage caused by viruses is
growing by leaps and bounds.
Scenario 1:
The virus is a general in the wild virus. This means that it is
spreading all over the world and is not targeted at any specific
organization.
Modus Operandi: A skilled programmer creates a new type or
strain of virus and releases it on the Internet so that it can
spread all over the world. Being a new virus, it goes undetected
by many anti-virus software and hence is able to spread all
over the world and cause a lot of damage. Anti-virus companies
are usually able to find a solution within 8 to 48 hours.
Usual motives: Thrill and a perverse pleasure in destroying
data belonging to strangers.
Applicable law

Penal Code
Sections 43, 66 & 66A of the

Penal Code
44 | P a g e
Scenario 2:
The virus targets a particular organization. This type of a virus
is not known to anti-virus companies as it is a new virus
created specifically to target a particular organization.
Modus Operandi: A skilled programmer creates a new type or
strain of virus. He does not release it on the Internet. Instead,
he sells it for a huge amount of money. The buyer uses the virus
to target his rival company. Being a new virus, it may go
undetected by the victim companys anti-virus software and
hence would be able to cause a lot of damage. Anti-virus
companies may never get to know about the existence of the
virus.
Applicable law

Penal Code
Sections 43, 66 & 66A of the

Penal Code
45 | P a g e
16. Web Defacement

Website defacement is usually the substitution of the original
home page of a website with another page (usually
pornographic or defamatory in nature) by a hacker.
Religious and government sites are regularly targeted by
hackers in order to display political or religious beliefs.
Disturbing images and offensive phrases might be displayed in
the process, as well as a signature of sorts, to show who was
responsible for the defacement. Websites are not only defaced
for political reasons, many defacers do it just for the thrill.
Scenario:
The homepage of a website is replaced with a pornographic or
defamatory page. In case of Government websites, this is most
commonly done on symbolic days (e.g. the Independence day
of the country).
Modus Operandi: The defacer may exploit the vulnerabilities
of the operating system or applications used to host the
website. This will allow him to hack into the web server and
change the home page and other pages.
Alternatively, he may launch a brute force or dictionary attack
to obtain the administrator passwords for the website. He can
then connect to the web server and change the webpages.
Usual motives: Thrill or a perverse pleasure in inciting
communal disharmony.
46 | P a g e
Applicable law

and in some cases sections 67
and 70 may also apply

and in some cases sections
66F, 67 and 70 may also apply
47 | P a g e
THREE
3. Important Case Law under Information

Technology Act
1. ATMs - Computers or not?

In an interesting case, the Karnataka High Court laid down that
ATMs are not computers, but are electronic devices under
the Karnataka Sales Tax Act, 1957.
Diebold Systems Pvt Ltd [a manufacturer and supplier of
Automated Teller Machines (ATM)] had sought a clarification
from the Advance Ruling Authority (ARA) in Karnataka on the
rate of tax applicable under the Karnataka Sales Tax Act, 1957
on sale of ATMs.
The majority view of the ARA was to classify ATMs as
"computer terminals" liable for 4% basic tax as they would
fall under Entry 20(ii)(b) of Part 'C' of Second Schedule to the
Karnataka Sales Tax Act.
The Chairman of the ARA dissented from the majority view. In
his opinion, ATMs would fit into the description of electronic
48 | P a g e
goods, parts and accessories thereof. They would thus attract

12% basic tax and would fall under Entry 4 of Part 'E' of the
Second Schedule to the KST Act.
The Commissioner of Commercial Taxes was of the view that
the ARA ruling was erroneous and passed an order that ATMs
cannot be classified as computer terminals.
The High Court of Karnataka acknowledged that the IT Act
provided an enlarged definition of "computers". However,
the Court held that such a wide definition could not be used
for interpreting a taxation related law such as the Karnataka
Sales Tax Act, 1957.
The High Court also said that an ATM is not a computer by
itself and it is connected to a computer that performs the
tasks requested by the persons using the ATM. The computer is
connected electronically to many ATMs that may be located at
some distance from the computer.
Diebold Systems Pvt Ltd vs. Commissioner of Commercial Taxes
ILR 2005 KAR 2210, [2006] 144 STC 59(Kar)
49 | P a g e
2. Jurisdiction issues for Electronic Contracts

P.R. Transport Agency vs. Union of India & others
AIR2006All23, 2006(1)AWC504
IN THE HIGH COURT OF ALLAHABAD
Civil Misc. Writ Petition No. 58468 of 2005
Decided On: 24.09.2005
Appellants: P.R. Transport Agency through its partner Sri
Prabhakar Singh Vs.
Respondent: Union of India (UOI) through Secretary, Ministry
of Coal, Bharat Coking Coal Ltd. through its Chairman, Chief
Sales Manager Road Sales, Bharat Coking Coal Ltd. and Metal
and Scrap Trading Corporation Ltd. (MSTC Ltd.) through its
Chairman cum Managing Director
Background of the case
Bharat Coking Coal Ltd (BCC) held an e-auction for coal in
different lots. P.R. Transport Agencys (PRTA) bid was accepted
for 4000 metric tons of coal from Dobari Colliery.
The acceptance letter was issued on 19th July 2005 by e-mail to
PRTAs e-mail address. Acting upon this acceptance, PRTA
deposited the full amount of Rs. 81.12 lakh through a cheque in
favour of BCC. This cheque was accepted and encashed by BCC.
50 | P a g e
BCC did not deliver the coal to PRTA. Instead it e-mailed PRTA
saying that the sale as well as the e-auction in favour of PRTA
stood cancelled "due to some technical and unavoidable
reasons".
The only reason for this cancellation was that there was some
other person whose bid for the same coal was slightly higher
than that of PRTA. Due to some flaw in the computer or its
programme or feeding of data the higher bid had not been
considered earlier.
This communication was challenged by PRTA in the High Court
of Allahabad. [Note: Allahabad is in the state of Uttar Pradesh
(UP)]
BCC objected to the territorial jurisdiction of the Court on the
grounds that no part of the cause of action had arisen within
U.P.
Issue raised by BCC
The High Court at Allahabad (in U.P.) had no
jurisdiction as no part of the cause of action had
arisen within U.P.
Issues raised by PRTA
1. The communication of the acceptance of the
tender was received by the petitioner by e-mail
at Chandauli (U.P.). Hence, the contract (from
which the dispute arose) was completed at
Chandauli (U.P). The completion of the contract
is a part of the cause of action.
51 | P a g e
2. The place where the contract was completed by

receipt of communication of acceptance is a
place where 'part of cause of action' arises.
Points considered by the court
1. With reference to contracts made by telephone,
telex or fax, the contract is complete when and
where the acceptance is received. However,
this principle can apply only where the
transmitting terminal and the receiving
terminal are at fixed points.
2. In case of e-mail, the data (in this case
acceptance) can be transmitted from anywhere
by the e-mail account holder. It goes to the
memory of a 'server' which may be located
anywhere and can be retrieved by the
addressee account holder from anywhere in
the world. Therefore, there is no fixed point
either of transmission or of receipt.
3. Section 13(3) of the Information Technology
Act has covered this difficulty of no fixed point
either of transmission or of receipt. According
to this section ...an electronic record is deemed
to be received at the place where the addressee
has his place of business."
4. The acceptance of the tender will be deemed to
be received by PRTA at the places where it has
place of business. In this case it is Varanasi and
Chandauli (both in U.P.)
52 | P a g e
Decision of the court

1. The acceptance was received by PRTA at
Chandauli / Varanasi. The contract became
complete by receipt of such acceptance.
2. Both these places were within the territorial
jurisdiction of the High Court of Allahabad.
Therefore, a part of the cause of action had
arisen in U.P. and the court had territorial
jurisdiction.
53 | P a g e
3. Source code issues in cell phone unlocking

CASE LAW: Syed Asifuddin and Ors. Vs. The State of Andhra
Pradesh & Anr. [2005CriLJ4314]
Summary of the case:
Tata Indicom employees were arrested for manipulation of the
electronic 32-bit number (ESN) programmed into cell phones
that were exclusively franchised to Reliance Infocomm. The
court held that such manipulation amounted to tampering with
computer source code as envisaged by section 65 of the
Information Technology Act, 2000.
Background of the case:
Reliance Infocomm launched a scheme under which a cell
phone subscriber was given a digital handset worth Rs. 10,500
as well as service bundle for 3 years with an initial payment of
Rs. 3350 and monthly outflow of Rs. 600. The subscriber was
also provided a 1 year warranty and 3 year insurance on the
handset.
The condition was that the handset was technologically locked
so that it would only work with the Reliance Infocomm
services. If the customer wanted to leave Reliance services, he
would have to pay some charges including the true price of the
handset. Since the handset was of a high quality, the market
response to the scheme was phenomenal.
Unidentified persons contacted Reliance customers with an
offer to change to a lower priced Tata Indicom scheme. As part
54 | P a g e
of the deal, their phone would be technologically unlocked so

that the exclusive Reliance handsets could be used for the Tata
Indicom service.
Reliance officials came to know about this unlocking by Tata
employees and lodged a First Information Report (FIR) under
various provisions of the Indian Penal Code, Information
Technology Act and the Copyright Act.
The police then raided some offices of Tata Indicom in Andhra
Pradesh and arrested a few Tata Teleservices Limited officials
for re-programming the Reliance handsets.
These arrested persons approached the High Court requesting
the court to quash the FIR on the grounds that their acts did
not violate the said legal provisions.
Issues raised by the Defence:
(1) Subscribers always had an option to change from one
service provider to another.
(2) The subscriber who wants to change from Tata Indicom
always takes his handset, to other service providers to get
service connected and to give up Tata services.
(3) The handsets brought to Tata by Reliance subscribers are
capable of accommodating two separate lines and can be
activated on principal assignment mobile (NAM 1 or NAM 2).
The mere activation of NAM 1 or NAM 2 by Tata in relation to a
handset brought to it by a Reliance subscriber does not amount
to any crime.
55 | P a g e
(4) A telephone handset is neither a computer nor a computer

system containing a computer programme.
(5) There is no law in force which requires the maintenance of
"computer source code". Hence section 65 of the Information
Technology Act does not apply.
Findings of the court
(1) As per section 2 of the Information Technology Act, any
electronic, magnetic or optical device used for storage of
information received through satellite, microwave or other
communication media and the devices which are
programmable and capable of retrieving any information by
manipulations of electronic, magnetic or optical impulses is a
computer which can be used as computer system in a computer
network.
(2) The instructions or programme given to computer in a
language known to the computer are not seen by the users of
the computer/consumers of computer functions. This is known
as source code in computer parlance.
(3) A city can be divided into several cells. A person using a
phone in one cell will be plugged to the central transmitter of
the telecom provider. This central transmitter will receive the
signals and then divert them to the relevant phones.
(4) When the person moves from one cell to another cell in the
same city, the system i.e., Mobile Telephone Switching Office
(MTSO) automatically transfers signals from tower to tower.
56 | P a g e
(5) All cell phone service providers have special codes

dedicated to them and these are intended to identify the phone,
the phone's owner and the service provider.
(6) System Identification Code (SID) is a unique 5-digit number
that is assigned to each carrier by the licensor. Every cell phone
operator is required to obtain SID from the Government of
India. SID is programmed into a phone when one purchases a
service plan and has the phone activated.
(7) Electronic Serial Number (ESN) is a unique 32-bit number
programmed into the phone when it is manufactured by the
instrument manufacturer. ESN is a permanent part of the
phone.
(8) Mobile Identification Number (MIN) is a 10-digit number
derived from cell phone number given to a subscriber. MIN is
programmed into a phone when one purchases a service plan.
(9) When the cell phone is switched on, it listens for a SID on
the control channel, which is a special frequency used by the
phone and base station to talk to one another about things like
call set-up and channel changing.
(10) If the phone cannot find any control channels to listen to,
the cell phone displays "no service" message as it is out of
range.
(11) When cell phone receives SID, it compares it to the SID
programmed into the phone and if these code numbers match,
cell knows that it is communicating with its home system.
Along with the SID, the phone also transmits registration
request and MTSO which keeps track of the phone's location in
57 | P a g e
a database, knows which cell phone you are using and gives a
ring.
(12) So as to match with the system of the cell phone provider,
every cell phone contains a circuit board, which is the brain of
the phone. It is a combination of several computer chips
programmed to convert analog to digital and digital to analog
conversion and translation of the outgoing audio signals and
incoming signals.
(13) This is a micro processor similar to the one generally used
in the compact disk of a desktop computer. Without the circuit
board, cell phone instrument cannot function.
(14) When a Reliance customer opts for its services, the MIN
and SID are programmed into the handset. If someone
manipulates and alters ESN, handsets which are exclusively
used by them become usable by other service providers like
TATA Indicom.
Conclusions of the court
(1) A cell phone is a computer as envisaged under the
Information Technology Act.
(2) ESN and SID come within the definition of computer
source code under section 65 of the Information Technology
Act.
(3) When ESN is altered, the offence under Section 65 of
Information Technology Act is attracted because every service
provider has to maintain its own SID code and also give a
58 | P a g e
customer specific number to each instrument used to avail the

services provided.
(4) Whether a cell phone operator is maintaining computer
source code, is a matter of evidence.
(5) In Section 65 of Information Technology Act the disjunctive
word "or" is used in between the two phrases (a) "when the
computer source code is required to be kept" (b) "maintained
by law for the time being in force".
59 | P a g e
4. Liability of CEO of company under anti-porn law

CASE LAW: Avnish Bajaj vs. State (N.C.T.) of Delhi
[(2005)3CompLJ364(Del),
116(2005)DLT427,
2005(79)DRJ576]
Summary of the case
Avnish Bajaj, CEO of Baazee.com, an online auction website,
was arrested for distributing cyber pornography. The charges
stemmed from the fact that someone had sold copies of a
pornographic CD through the Baazee.com website. The court
granted him bail in the case.
The major factors considered by the court were:
(1) There was no prima facie evidence that Mr. Bajaj directly or
indirectly published pornography,
(2) The actual obscene recording/clip could not be viewed on
Baazee.com,
(3) Mr. Bajaj was of Indian origin and had family ties in India.
Background
Avnish Bajaj is the CEO of Baazee.com, a customer-to-customer
website, which facilitates the online sale of property.
Baazee.com receives commission from such sales and also
generates revenue from advertisements carried on its web
pages.
60 | P a g e
An obscene MMS clipping was listed for sale on Baazee.com on

27th November, 2004 in the name of DPS Girl having fun".
Some copies of the clipping were sold through Baazee.com and
the seller received the money for the sale. Avnish Bajaj was
arrested under section 67 of the Information Technology Act,
2000 and his bail application was rejected by the trial court. He
then approached the Delhi High Court for bail.
Issues raised by the Prosecution
(1) The accused did not stop payment through banking
channels after learning of the illegal nature of the transaction.
(2) The item description "DPS Girl having fun" should have
raised an alarm.
Issues raised by the Defence
(1) Section 67 of the Information Technology Act relates to
publication of obscene material. It does not relate to
transmission of such material.
(2) On coming to learn of the illegal character of the sale,
remedial steps were taken within 38 hours, since the
intervening period was a weekend.
Findings of the court
(1) It has not been established that publication took place by
the accused, directly or indirectly.
(2) The actual obscene recording/clip could not be viewed on
the portal of Baazee.com.
61 | P a g e
(3) The sale consideration was not routed through the accused.
(4) Prima facie Baazee.com had endeavored to plug the
loophole.
(5) The accused had actively participated in the investigations.
(6) The nature of the alleged offence is such that the evidence
has already crystallized and may even be tamper proof.
(7) Even though the accused is a foreign citizen, he is of Indian
origin with family roots in India.
(8) The evidence that has been collected indicates only that the
obscene material may have been unwittingly offered for sale on
the website.
(9) The evidence that has been collected indicates that the
heinous nature of the alleged crime may be attributable to
some other person.
Decision of the court

(1) The court granted bail to Mr. Bajaj subject to furnishing two
sureties of Rs. 1 lakh each.
(2) The court ordered Mr. Bajaj to surrender his passport and
not to leave India without the permission of the Court.
(3) The court also ordered Mr. Bajaj to participate and assist in
the investigation.
62 | P a g e
FOUR
4. Role of Asian School of Cyber Laws in the

development of Cyber Law
63 | P a g e
Some of our achievements

ASCL Computer Crime & Abuse Report
(India) is the only study of its kind quoted
by the United Nations in its E-commerce
& Development Report (2003).
Federal Republic of Germany
Malaysia
We were invited to make a presentation on

"Indian Legal Position on Cyber Terrorism,
Encryption and Preventive Measures", on
behalf of the Karnataka Police, for Otto
Schily, Interior Minister, Federal Republic of
Germany.
We have conducted training programs

on Cyber Crime Investigation, Incident
Response and Cyber Forensics for senior
Government and Police officials from
Malaysia.
This third edition of the E-Commerce and

Development Report, published by the
United Nations Conference on Trade and
Development, identifies some of the
implications that the growth of the digital
economy may have for developing
countries.
Relevant extract from the report:
Studies based on reported security incidents
assess internal threats as being as severe as
external ones.
For example, the Asian School of Cyber Laws
study Computer Crime and Abuse Report
200102 for India showed that over half of
the reported incidents were traced to
employees (21 per cent) or former employees
(31 per cent).
In the end, the question of IT security at the
firm level is much more a managerial
problem than a technical one.
It has to do with how penetrable the
enterprise wants its business processes to be
and how risk management is integrated into
those processes.
Management must decide what balance to
strike between the benefits of open,
collaborative business processes and the risks
that greater exposure entails.
Extract from the letter of appreciation issued

by Dr. P S Ramanujam, Director General of
Police, Corps of Detectives, Training, Special
Units & Economic Offences, Karnataka to
Rohas Nagpal, President, Asian School of
Cyber Laws.
We thank you for your kind presence on the
occasion of the visit of high level German
delegation headed by Shri Otto Schilly, Hon'ble
Interior Minister of the Federal Republic of
Germany to the Cyber Crime Police Station,
Bangalore on October 30 2001.
The observations put forth by you on the Indian
Legal position on Cyber terrorism, on
encryption issues and the preventive measures
that are available were highly appreciated by
the delegation.
We thank you for your excellent presentation.
The digital version of this letter can be
downloaded from:
www.asianlaws.org/aboutus/germany.pdf
Extract from an article in the Indian

Express dated APRIL 30, 2004 titled Pune
beats IT peers in fixing cyber crimes From corporate America to Mauritius,
there is a beeline to ASCL for training:
Bangalore may have taken the tag of India's
Silicon Valley and Hyderabad would have
rechristened itself as cyberabad, but when it
comes to fixing the cyber crimes, Pune
seems to have taken the lead over its
illustrious peers.
Pune would not have made it to the global
infotech map for its code - writing abilities,
but when it comes to tackling cyber crimes,
it is the preferred destination even for
Corporate America.
For, the Asian School of Cyber Laws (ASCL) an institution involved in education,
training and consultancy in cyber laws and
crime detection - has set up its base here.
Savour this: Last year, a team of Malaysian
government officials undertook training in
cyber laws and cyber crime investigation at
this institution.
The UN Report is available at:

www.asianlaws.org/aboutus/ecdr.pdf
That is not all to it. Corporate America

followed by its counterparts from the United
Kingdom and Hong Kong have all been
visiting the city to get trained at ASCL.
The ASCL Computer Crime and Abuse

Report (2001-02) is available at:
www.asianlaws.org/aboutus/report.pdf
The digital version of this article is at:

www.asianlaws.org/aboutus/malaysia.pdf
We are a global leader in training in

cyber crime investigation and cyber
forensics
It even helped the ministry frame rules under

the IT Act 2000, besides drafting the code of
conduct for cyber cafes in the country.
Ever since it was founded in 1999 by a group of
lawyers working in the field of information
security, the ASCL has been assisting law
enforcement agencies in India and many Asian
countries in the investigation of multi million
dollar cyber crimes.
Extract from an article titled "Shaolin of

Cybercrime fighters" published in Times of
India:
The city seems to be fast becoming the final
answer to Asia's quest for low-cost training in
cyber-crime.
While a five member team of police officials
from Mauritius is undergoing a special,
month-long course in cyber crime
investigation, a few months ago, a fourmember state team from Malaysia attended a
two-week crash course at the city-based Asian
School of Cyber laws (ASCL).
Another team from Mauritius is expected
soon, said Gaurav Sharma, head of education
and consultancy at the ASCL.
During the last year alone, around 140
individual and corporate sponsored students
from Japan, Korea, China, Singapore,
Malaysia, Hong-Kong and Mauritius
among other countries have taken
correspondence courses from the ASCL, to
learn about cyber crimes.
In all, 3,000 students took courses from the
ASCL so far, of whom 600 are foreigners.
In July-August, nearly 150 individual and
corporate sponsored students from various
Asian countries are expected to train at the
institute.
Rohas Nagpal, president, ASCL, said his
institute offered courses in both cyber crime
investigation and cyber laws.
In the last one year, the school has been
working closely with the Union ministry of IT
and communications.
These crimes involve cyber terrorism, cyber

forgery and attacks on health related IT
systems. The $1.5 million Bangalore source
code case and the Gian Carla Balestra case of
cyber stalking are among the dozens of cases
the school has helped crack.
We have assisted the Indian Army,

various branches of the Indian police
and the Central Bureau of Investigation
in matters relating to cyber investigation.
Some of the relevant reference letters can
be downloaded in digital form from:
www.asianlaws.org/aboutus/army.pdf
www.asianlaws.org/aboutus/cbi.pdf
www.asianlaws.org/aboutus/blr.pdf
www.asianlaws.org/aboutus/kp.pdf
We have conducted training programs on
Cyber Crime Investigation, Incident
Response and Cyber Forensics for senior
Government and Police officials from
Mauritius.
In view of the growing use of the internet and

various IT initiatives taken up by countries like
China, Thailand, Malaysia, Taiwan and the
Philippines, there is a growing need for local
officials in these countries to understand the
implications and improve their skills in
handling related crime, said Sharma.
The training programme addresses issues such
as investigation of email crimes, hacking
attacks, denial of service attacks, tracking
viruses, web - jacking and web defacement,
network crimes, cyber terrorism and false
authentication using digital signatures etc. A
special module on ethical hacking is also to be
included. The school is also looking at working
in the US and Europe as well.
Among its future plans is developing best
practices in cyber crime investigation for law
enforcement agencies and evolving common
standards, at least for Asian countries.
The digital version of this article is at:
www.asianlaws.org/aboutus/shaolin.pdf
In May 2011, the Mauritius Bar Association,

together with the Association of
Magistrates, invited Mr Debasis Nayak,
Director, Asian School of Cyber Laws, at
the seat of the Bar Council to provide "an
overview of Cyber law in Mauritius with
emphasis on evidentiary aspects of
cybercrime."
In his introductory note, His Honour
Patrick Kam Sing, Vice-President of the
Inter-mediate Court (Civil Side), laid
emphasis on the threat imposed by
Cybercrime and the fact that it is difficult
to secure a conviction given the
transnational nature of such offences.
The Monthly Legal Update Newsletter
dated June 2011 issued by the Office of
the Director Of Public Prosecutions,
Mauritius is available in digital form at:
www.asianlaws.org/aboutus/mba.pdf
We have also conducted a high end
training program at Accra, Ghana. Former
Deputy Minister of Communication Hon.
Gideon Kwame Boye Quarcoo was the
guest of honour.
World Congress on Informatics and Law
Government of India
We were part of the Organizing

Committee for the World Congress on
Informatics and Law at:
We have assisted the Government of India

in framing draft rules and regulations under
the Information Technology Act and
drafting model rules for the functioning of
Cyber Cafes and drafting the Information
Age Crimes Act.
- Spain (2002)
- Cuba (2003)
- Peru (2004)
World Congress For Informatics And Law

II was held in Madrid, Spain in 2002.
The Honorary President of the World
Congress was His Royal Highness the
Prnce of Asturias.
World Congress II was the continuation
of World Congress I, held in Quito
(Equador), 15-18 October 2001, under
the auspices of the State of Equator,
represented by H.E. Vice President Pedro
Pinto, who chaired the inaugural session.
During this Congress, a paper titled
Cyber Terrorism in the context of
Globalization was presented by Rohas
Nagpal, President, Asian School of Cyber
Laws.
This was one of the first papers in the
world that defined the term cyber
terrorism. The definition was Cyber terrorism is the premeditated use of
disruptive activities, or the threat thereof,
in cyber space, with the intention to further
social, ideological, religious, political or
similar objectives, or to intimidate any
person in furtherance of such objectives.
The digital version of this paper is at:
www.asianlaws.org/aboutus/spain.pdf
Vishal Kumar, Director (Academics),

Asian School of Cyber Laws was a
member of Sub-group on E-Security
under working group on Information
Technology Sector for the formulation of
the Twelfth Five Year Plan (2012 -17)
Government of India., New Delhi India
Department of Information Technology,
as per the recommendation of Working
Group on Information Technology Sector
has constituted a Sub Group on ESecurity on 4th July 2011 to make the
recommendations on various policy
matters related to E-Security area for
formulation of the Twelfth Five Year Plan
(2012 -2017).
We have assisted the Controller of

Certifying Authorities in drafting
regulations relating to the recognition of
foreign certifying authorities.
We have also provided academic support to
the National Consultation meeting on
Enforcement of Cyber Law held at New
Delhi on 31st January 2010.
This meeting was organized by National
Project Committee on Enforcement of Cyber
Law (Supreme Court of India) in
association with Cyber Appellate Tribunal,
Ministry of Communication & Information
Technology, Department of Information
Technology, Government of India and
National Legal Services Authority (NALSA).
A public interest litigation filed by our
students led to the appointment of
Adjudicating Officers to decide the fate of
cyber crime cases.
The Bombay high court directed the Union
government to expedite the process of
appointing enforcement authorities as per
the information technology (IT) Act, 2000, so
that aggrieved persons can get their
grievances settled.
The Bombay High Court bench comprising
Chief Justice A.P. Shah and Justice Ranjana
Desai gave this order while hearing a public
interest litigation (PIL) filed by Nupur Jain
and other students of Asian School of Cyber
Laws.
Extract of letter from S Lakshinarayanan,

IAS, Additional Secretary, Ministry of
Communications and IT, Government of
India :
As you are already associated with this
department's activity of 'Framing draft
rules and regulations under Information
Technology Act 2000' and Information Age
Crimes Act' you are aware of Government
of India's IT Act 2000 and the various steps
taken to formulate rules and regulations to
curb cyber crime, anti national activities
etc., especially through Internet, Cyber
Cafe's spread over in several metros, cities
and towns.
It is felt that the expertise of your
institution on the subject could benefit the
Government of India for formulating a
national level model of rules and
regulations.
The digital version of this letter is at:
www.asianlaws.org/aboutus/mit.pdf
Also see:
www.asianlaws.org/aboutus/rs.pdf
www.asianlaws.org/aboutus/dit.pdf
www.asianlaws.org/aboutus/sc.pdf
www.asianlaws.org/aboutus/ao.pdf
We have conducted training programs for

income tax officials at the National
Academy of Direct Taxes, Nagpur (a
Central Institute of the Ministry Of Finance)
and its unit at Lucknow - the Direct Taxes
Regional Training Institute.
police officials at the National Police
Academy, Hyderabad (which trains
officers of the Indian Police Service) and
Sher-I-Kashmir Police Academy.
bank officials at the National Institute of
Bank Management, Pune (an
autonomous apex institution set up by the
Reserve Bank of India, in consultation with
the Government of India).
insurance officials at the National
Insurance Academy, Pune.
We have also conducted training programs
for the Securities and Exchange Board of
India.
for Yashwantrao Chavan Academy of
Development Administration
(YASHADA), which is the Administrative
Training Institute of the Government of
Maharashtra.
for the Vaikunth Mehta National
Institute of Cooperative Management
(VAMNICOM), an Institution of National
Council for Cooperative Training, New
Delhi.
We have trained employees of Bank of India

and HSBC (one of the world's largest banking
and financial services organisations).
We were invited to conduct a session on
cyber security for Defence Institute of
Advanced Technology (DIAT), previously
called Institute of Armament Technology
(IAT), a Deemed University specializing in
Armament Technologies.
We have conducted workshops for
corporates such as Mahindra British Telecom,
National Stock Exchange, Kanbay, Finolex,
GCCI, MCCIA, Tata Consultancy Services,
Patni Computer Systems, Cognizant, Facor,
Thermax, Mastek Limited, CSI, DiPurba
Consulting- Malaysia, Microline, Bit- Tech,
Datamatics, Growel Softech, Iopsis, VAIDS,
Synel, Resonance, Rishabh Software, Seed
Infotech, NIIT, Delphi, Concourse, I2IT, IHNS2.
We have conducted workshops for
educational institutions such as Banaras
Hindu University, ILS Law College,
Government Law College (Mumbai), Nagpur
University, Bangalore Institute of Legal
Studies, Bharti Vidyapeeth University, Sri
Venkateswara University, Surendra Nath Law
College, M.G.Kashi Vidyapith University,
Hazra Law College (Kolkata), Jogeshchandra
Choudhoury Law College, Jadhavpur
University, YC Law College, Amravati College
of Management, Amravati University, V.M.
Salgaocar Law College.
Our Computer Emergency Response Team
has handled thousands of cyber crime
cases.
We have published the first-of-its-kind

Commentary on the Information
Technology Act.
We organize CyberAttack - a national

conference on cyber crime & security.
CyberAttack is usually held in India (Delhi,
Mumbai, Pune & Hyderabad) as well as
Mauritius.
Dr. Gulshan Rai, Director General, Indian
Computer Emergency Response Team,
Government of India inaugurated the
2011 conference at Pune. He also
delivered the key note address.
We were invited to talk on "International
and National Legal Implications of
Operations in Cyber Space" at Cyber
Security India 2011 - India's Only
Dedicated Military Cyber Security
Conference.
We conducted the world's first online
moot court in 2002 adjudged by Hon'ble
Ranganath Misra ex-chief Justice of
Supreme Court of India, ex-National
Human Rights Commission Chairman and
ex-Rajya Sabha member.
We have conducted cyber law workshops

under the guidance and supervision of the
office of the Chairperson, Cyber Appellate
Tribunal, New Delhi (established under
the Information Technology Act).
Law enforcement personnel in India and
abroad extensively use our Cyber Crime
Investigation Manual.
This was one of the first of its kind manuals in
the world. Times of India (the world's largest
selling English newspaper) has referred to it as
a bible for Cyber Crime Investigators.
We drafted the compromis, for the

Philip C. Jessup International Law Moot
Court Competition, 2002 (USA).
It is the world's largest moot court
competition, with participants from over
500 law schools in more than 80
countries. Please see:
www.asianlaws.org/aboutus/jessup.pdf
Some of our research publications
Internet Draft titled Biometric based

Digital Signature scheme which
proposes a method of using biometrics to
generate keys for use in digital signature
creation and verification.
Children are also taught how to protect

themselves and their family from these
threats. Finally, these programs teach
children how to efficiently and effectively
use cyber technology.
Intellectual property law and

cyberspace - presented at the seminar on
intellectual property rights conducted by
the Department of Civics and Politics,
University of Mumbai in 2006.
Internet Time Theft & the Indian Law white paper prepared for the Corps of
Detectives, Karnataka Police, September
2001.
Thousands of students have benefitted

from our free online programs in cyber
law, intellectual property law, Cyber Crime
Protection and Program Data Privacy Law
in India.
We developed the worlds smallest
cyber crime investigation device codenamed pCHIP.
Legislative Approach to Digital

Signatures - paper presented at the First
World Congress on Computer Law
organized at Ecuador, October, 2001.
Legislative Approach to Digital
Signatures - paper presented at the
International Law Seminar organized by
ISIL at New Delhi, India in October, 2001.
We have conducted free "Cyber Smart"

seminars and workshops for thousands
of school children.
Indian Legal position on Cyber

Terrorism, Encryption and preventive
measures on behalf of the Karnataka
Police for Otto Schily, Interior Minister,
Federal Republic of Germany (30th
October , 2001).
Cyber Terrorism in the context of

Globalisation - Paper presented at the
UGC sponsored National Seminar on
Globalization and Human Rights held
on 7th - 8th September, 2002 at Mumbai,
India.
Cyber Terrorism - A Global Perspective
Paper presented at the Second World
Congress on Informatics and Law held at
Madrid, Spain from 23rd - 27th
September, 2002.
It was released in August, 2010 by

Honble Justice Rajesh Tandon, who was
then the Chairperson, Cyber Appellate
Tribunal, New Delhi.
pCHIP runs from a USB drive / micro SD
card without installation on the suspect
PC. It captures relevant volatile evidence
from a live (switched on) computer. It has
an extremely easy-to-use interface and
provides detailed reports.
Defining Cyber Terrorism - paper

submitted at the National Seminar on
Human Rights and Terrorism on 9 and 10
March 2002 at Nagpur, India.
The mathematics of terror - paper
submitted at the National Seminar on
Human Rights and Terrorism on 9 and 10
March, 2002 at Nagpur, India.
This Portable Mega Investigation &

Forensic Solution is delivered in two
versions on a USB device and on a micro
SD card.
Some of the features of pCHIP are:
These programs were conducted under the

Republic of Cyberia project in several schools
in Pune and Mumbai including St. Miras,
Bhartiya Vidya Bhavan, St. Josephs, Bishop's
High School, St. Annes, Dhirubhai Ambani
International School, Ecole Mondiale World
School, Blossoms School, JBCN International
School, Hill Spring and SVKM International
School.
These programs aim to make children
CyberSmart so they understand the cyber
threats facing them and their family.
1. The pCHIP retrieves crucial volatile

digital evidence from the suspect
computer and generates 38 reports at the
click of a button.
2. The pCHIP can detect and list password
protected & encrypted files on a suspect
computer. It can also attack and crack
hundreds of types of passwords.
3. At the click of a button, the pCHIP can
generate a report containing the details
of every USB device ever connected to
the suspect computer.
The pCHIP can clone and image disks and
also recover deleted data.
We run moodstatus.me, a unique

personal cum social platform which
helps users flaunt as well as record and
map their moods.
We are the first private organization in
the world to offer complete forensic
investigation & training services for
cellular and mobile communication
devices.
Manual compliance with the stringent

anti-ragging laws would not only be
extremely time-consuming but also
would require a lot of people and
expense.
To enable colleges to comply with the
anti-ragging laws, we have developed
AR-64, a cutting edge technological
solution that automates the antiragging legal compliance process.
Our expertise includes iPad & iPhone

Forensics, Blackberry Forensics, Android
Forensics, Windows Mobile Forensics as
well as Symbian Forensics.
We run 13q.me, a unique personal cum

social platform which is a modern
digitalized version of the popular slam
book concept.
The Information Technology Act and its

allied rules, regulations, orders etc
impose several obligations on corporates.
Failure to comply with these obligations
may be penalized with imprisonment,
fines and compensation.
We have developed the ita64 suite of
technological solutions for facilitating
compliance.
We maintain the Global Cyber Law

Database, an online repository of cyber
related laws of major countries around
the globe.
ita64 comprises the following 2 modules:

We have launched a massive national
level program to make Indian colleges
ragging free. The various anti-ragging
laws in India include:
We run bugs.ms, a Google Custom

Search Engine for bugs, hacks, exploits
and security for Microsoft products.
The search engine searches through a
database of websites that is compiled
and updated by subject experts. This
ensures that users get the most relevant
information.
Bugs are errors, flaws, mistakes, failures,
or faults in a computer program that
prevent it from behaving as intended.
1. Guidelines issued by the Supreme Court

of India in the case of Vishwa Jagriti Mission
through President v/s Central Government
through Cabinet Secretary.
2. Guidelines issued by the Supreme Court
of India in the case of University of Kerala
v/s Council, Principals' Colleges, Kerala and
Others .
3. Recommendations made in the
Raghavan Committee Report .
4. Regulations issued by the University
Grants Commission .
1. priv64, a cutting edge technological

solution that automates the data privacy
legal compliance process for 100%
compliance with India's data privacy laws
2. cert64, for 100% compliance with CERT
and other reporting requirements.
We have developed dx64, a Cyber
Warfare Early Warning System.
dx64 facilitates real-time, open exchange
of data from entities about how and
when cyber attacks have affected their
systems.
This data is analyzed to provide earlywarning of cyber attacks that could bring
down critical infrastructure.
FIVE
5. Information Technology Act as amended from

time to time with brief comments
64 | P a g e
THE INFORMATION TECHNOLOGY ACT, 2000

(No.21 OF 2000)
As amended by the
Information Technology (Amendment) Act, 2008
Preamble
An Act to provide legal recognition for transactions carried out
by means of electronic data interchange and other means of
electronic communication, commonly referred to as "electronic
commerce", which involve the use of alternative to paperbased methods of communication and storage of information,
to facilitate electronic filing of documents with the Government
agencies and further to amend the Indian Penal Code, the India
Evidence Act, 1872, the Bankers Books Evidence Act, 1891 and
the Reserve Bank of India Act, 1934 and for matters connected
therewith or incidental thereto.
WHEREAS the General Assembly of the United Nations by
resolution A/RES/ 51/162, dated 30th January, 1997 has
adopted the Model Law on Electronic Commerce adopted by
the United Nations Commission on International Trade Law;
AND WHREAS the said resolution recommends inter alia that
all States give favourable consideration to the said Model Law
when they enact or revise their laws, in view of the need for
uniformity of the law applicable to alternatives to paper based
methods of communication and storage of information;
65 | P a g e
AND WHEREAS it is considered necessary to give effect to the

said resolution and to promote efficient delivery of
Government services by means of reliable electronic records.
BE it enacted by Parliament in the Fifty-first Year of the
Republic of India as follows:-
CHAPTER I
PRELIMINARY
1. Short title, extent, commencement and application
(1) This Act may be called the Information Technology Act,
2000.
(2) It shall extend to the whole of India and, save as otherwise
provided in this Act, it applies also to any offence or
contravention thereunder committed outside India by any
person.
(3) It shall come into force on such date as the Central
Government may, by notification, appoint and different dates
may be appointed for different provisions of this Act and any
reference in any such provision to the commencement of this
Act shall be construed as a reference to the commencement of
that provision2.
The Act came into force on 17th October 2000
66 | P a g e
(4) Nothing in this Act shall apply to documents or

transactions specified in the First Schedule:
Provided that the Central Government may, by notification in
the Official Gazette, amend the First Schedule by way of
addition or deletion of entries thereto3.
(5) Every notification issued under sub-section (4) shall be laid
before each House of Parliament.4
2. Definitions.
(1) In this Act, unless the context otherwise requires,(a) "access" with its grammatical variations and
cognate expressions, means gaining entry into,
instructing or communicating with the logical,
arithmetical or memory function resources of a
computer, computer system or computer network;
3 Substituted by Information Technology (Amendment) Act, 2008 for

Nothing in this Act shall apply to,- (a) a negotiable instrument (other than a
cheque)3 as defined in section 13 of the Negotiable Instruments Act, 1881 (26
of 1881); (b) a power-of-attorney as defined in section 1A of the Powers-ofAttorney Act, 1882 (7 of 1882); (c) a trust as defined in section 3 of the Indian
Trusts Act, 1882 (2 of 1882); (d) a will as defined in clause (h) of section (2)
of the Indian Succession Act, 1925 (39 of 1925), including any other
testamentary disposition by whatever name called; (e) any contract for the
sale or conveyance of immovable property or any interest in such property;
(f) any such class of documents or transactions as may be notified by the
Central Government in the Official Gazette.
Inserted by Information Technology (Amendment) Act, 2008.
67 | P a g e
(b) "addressee" means a person who is intended by the

originator to receive the electronic record but does not
include any intermediary;
(c) "adjudicating officer" means an adjudicating officer
appointed under sub-section (1) of section 46;
(d) "affixing electronic signature5", with its grammatical
variations and cognate expressions means adoption of
any methodology or procedure by a person for the
purpose of authenticating an electronic record by
means of electronic signature;
(e) "appropriate Government " means as respects any
matter,(i) enumerated in List II of the Seventh
Schedule to the Constitution;
(ii) relating to any State law enacted under List
III of the Seventh Schedule to the Constitution,
the State Government and in any other case, the Central
Government;
(f) "asymmetric crypto system" means a system of a
secure key pair consisting of a private key for creating a
digital signature and a public key to verify the digital
signature;
The words electronic signature substituted for digital signature by

Information Technology (Amendment) Act, 2008.
68 | P a g e
(g) "Certifying Authority" means a person who has

been granted a licence to issue a Electronic Signature
Certificate6 under section 24;
(h) "certification practice statement" means a
statement issued by a Certifying Authority to specify
the practices that the Certifying Authority employs in
issuing Electronic Signature7 Certificates;
(ha) communication device means cell phones,
personal digital assistance or combination of both or
any other device used to communicate, send or
transmit any text, video, audio or image;8
(i) "computer" means any electronic, magnetic, optical
or other high-speed data processing device or system
which performs logical, arithmetic, and memory
functions by manipulations of electronic, magnetic or
optical impulses, and includes all input, output,
processing,
storage,
computer
software,
or
communication facilities which are connected or relates
to the computer in a computer system or computer
network;

7

8
69 | P a g e
(j) computer network means the inter-connection of

one or more computers or computer systems or
communication device through
(i) the use of satellite, microwave, terrestrial line,
wire, wireless or other communication media; and
(ii) terminals or a complex consisting of two or
more inter-connected computers or communication
device whether or not the inter-connection is
continuously maintained;9
(k) "computer resources" means computer, computer
system, computer network, data, computer data base or
software;
(l) "computer system" means a device or collection of
devices, including input and output support devices
and excluding calculators which are not programmable
and capable being used in conjunction with external
files which contain computer programmes, electronic
instructions, input data and output data that performs
logic, arithmetic, data storage and retrieval,
communication control and other functions;
(m) "Controller" means the Controller of Certifying
Authorities appointed under sub-section (1) of section
17;
Substituted by Information Technology (Amendment) Act, 2008 for: "computer

network" means the inter-connection of one or more computers through- (i) the
use of satellite, microwave, terrestrial line or other communication media; and (ii)
terminals or a complex consisting of two or more interconnected computers
whether or not the interconnection is continuously maintained.
70 | P a g e
(n) "Cyber Appellate Tribunal" means the Cyber

Appellate Tribunal10 established under sub-section (1)
of section 48;
(na) cyber caf means any facility from where access
to the internet is offered by any person in the ordinary
course of business to the members of the public;11
(nb) cyber security means protecting information,
equipment, devices, computer, computer resource,
communication device and information stored therein
from unauthorised access, use, disclosure, disruption,
modification or destruction;12
(o) "data" means a representation of information,
knowledge, facts, concepts or instructions which are
being prepared or have been prepared in a formalised
manner, and is intended to be processed, is being
processed or has been processed in a computer system
or computer network, and may be in any form
(including computer printouts magnetic or optical
storage media, punched cards, punched tapes) or
stored internally in the memory of the computer;
(p) "digital signature" means authentication of any
electronic record by a subscriber by means of an
10
The words Cyber Appellate Tribunal substituted for Cyber Regulations

Appellate Tribunal by Information Technology (Amendment) Act, 2008.
11
12
71 | P a g e
electronic method or procedure in accordance with the

provisions of section 3;
(q) "Digital Signature Certificate" means a Digital
Signature Certificate issued under sub-section (4) of
section 35;
(r)"electronic form", with reference to information
means, any information generated, sent, received or
stored in media, magnetic, optical, computer memory,
micro film, computer generated micro fiche or similar
device;
(s) "Electronic Gazette" means
published in the electronic form;
Official
Gazette
(t) "electronic record" means data, record or data

generated, image or sound stored, received or sent in
an electronic form or micro film or computer generated
micro fiche;
(ta) electronic signature means authentication of any
electronic record by a subscriber by means of the
electronic technique specified in the Second Schedule
and includes digital signature;13
(tb) Electronic Signature Certificate means an
Electronic Signature Certificate issued under section 35
and includes Digital Signature Certificate;14
13
14
72 | P a g e
(u) "function", in relation to a computer, includes logic,

control, arithmetical process, deletion, storage and
retrieval and retrieval and communication or
telecommunication from or within a computer;
(ua) Indian Computer Emergency Response Team
means an agency established under sub-section (1) of
section 70B;15
(v) "information includes data, message16, text, images,
sound, voice, codes, computer programmes, software
and data bases or micro film or computer generated
micro fiche;
(w) intermediary, with respect to any particular
electronic records, means any person who on behalf of
another person receives, stores or transmits that
record or provides any service with respect to that
record and includes telecom service providers, network
service providers, internet service providers, webhosting service providers, search engines, online
payment sites, online-auction sites, online-market
places and cyber cafes;17
(x) "key pair", in an asymmetric crypto system, means a
private key and its mathematically related public key,
15
16
The word message inserted by Information Technology (Amendment) Act,

2008.
17
Substituted by Information Technology (Amendment) Act, 2008 for:
"intermediary" with respect to any particular electronic message, means any
person who on behalf of another person receives, stores or transmits that message
or provides any service with respect to that message;
73 | P a g e
which are so related that the public key can verify a

digital signature created by the private key;
(y)"law" includes any Act of Parliament or of a State
Legislature, Ordinances promulgated by the President
or a Governor, as the case may be, Regulations made by
the President under article 240, Bills enacted as
Presidents Act under sub-clause (a) of clause (1) of
article 375 of the Constitution and includes rules,
regulations, bye-laws and order issued or made
thereunder;
(z)"licence" means a licence granted to a Certifying
Authority under section 24;
(za) "originator" means a person who sends, generates,
stores or transmits any electronic message or causes
any electronic message to be sent, generated, stored or
transmitted to any other person but does not include
any intermediary;
(zb) "prescribed" means prescribed by rules made
under this Act;
(zc) "private key" means the key of a key pair used to
create a digital signature;
(zd) "public key" means the key of a key pair used to
verify a digital signature and listed in the Digital
Signature Certificate;
(ze) "secure system" means computer hardware,
software and procedure that-
74 | P a g e
(a) are reasonably secure from unauthorised

access and misuse;
(b) provide a reasonable level of reliability and
correct operation;
(c) are reasonably suited to performing the
intended functions; and
(d) adhere to generally accepted security
procedures;
(zf) "security procedure" means the security procedure
prescribed under section 16 by the Central
Government;
(zg) "subscriber" means a person in whose name the
Electronic Signature18 Certificate is issued;
(zh) "verify", in relation to a digital signature, electronic
record or public key, with its grammatical variations
and cognate expressions, means to determine whether-
(a) the initial electronic record was affixed with

the digital signature by the sue of private key
corresponding to the public key of the
subscriber;
18

75 | P a g e
(b) the initial electronic record is retained

intact or has been altered since such electronic
record was so affixed with the digital signature.
(2) Any reference in this Act to any enactment or any provision
thereof shall, in relation to an area in which such enactment or
such provision is not in force, be construed as a reference to
the corresponding law or the relevant provision of the
corresponding law, if any, in force in that area.
CHAPTER II
DIGITAL SIGNATURE AND ELECTRONIC
SIGNATURE19
3. Authentication of electronic records.
(1) Subject to the provisions of this section, any subscriber
may authenticate an electronic record by affixing his digital
signature.
(2) The authentication of the electronic record shall be effected
by the use of asymmetric crypto system and hash function
which envelop and transform the initial electronic record into
another electronic record.
Explanation - For the purposes of this sub-section, "hash
function" means an algorithm mapping or translation of one
sequence of bits into another, generally smaller, set known as
19
Substituted for DIGITAL SIGNATURE by Information Technology

(Amendment) Act, 2008.
76 | P a g e
"hash result" such that an electronic record yields the same

hash result every time the algorithm is executed with the same
electronic record as its input making it computationally
infeasible(a) to derive or reconstruct the original electronic
record from the hash result produced by the algorithm;
(b) that two electronic records can produce the same
hash result using algorithm.
(3) Any person by the use of a public key of the subscriber can
verify the electronic record.
(4) The private key and the public key are unique to the
subscriber and constitute a functioning key pair.
3A. Electronic Signature.-20
(1) Notwithstanding anything contained in section 3, but
subject to the provisions of sub-section (2), a subscriber may
authenticate any electronic record by such electronic signature
or electronic authentication technique which
(a) is considered reliable; and
(b) may be specified in the Second Schedule.
(2) For the purposes of this section any electronic signature or
electronic authentication technique shall be considered reliable
if
(a) the signature creation data or the authentication
data are, within the context in which they are used,
20
77 | P a g e
linked to the signatory or, as the case may be, the

authenticator and to no other person;
(b) the signature creation data or the authentication
data were, at the time of signing, under the control of
the signatory or, as the case may be, the authenticator
and of no other person;
(c) any alteration to the electronic signature made after
affixing such signature is detectable;
(d) any alteration to the information made after its
authentication by electronic signature is detectable;
and
(e) it fulfils such other conditions which may be
prescribed.
(3) The Central Government may prescribe the procedure for
the purpose of ascertaining whether electronic signature is that
of the person by whom it is purported to have been affixed or
authenticated.
(4) The Central Government may, by notification in the Official
Gazette, add to or omit any electronic signature or electronic
authentication technique and the procedure for affixing such
signature from the Second Schedule:
Provided that no electronic signature or authentication
technique shall be specified in the Second Schedule unless such
signature or technique is reliable.
78 | P a g e
(5) Every notification issued under sub-section (4) shall be laid

before each House of Parliament.
CHAPTER III
ELECTRONIC GOVERNANCE
4. Legal recognition of electronic records
Where any law provides that information or any other matter
shall be in writing or in the typewritten or printed form, then,
notwithstanding anything contained in such law, such
requirement shall be deemed to have been satisfied if such
information or matter is(a) rendered or made available in an electronic form;
and
(b) accessible so as to be usable for a subsequent
reference.
5. Legal recognition of electronic signatures21.
Where any lay provides that information or any other matter
shall be authenticated by affixing the signature or any
document shall be signed or bear the signature of any person,
then, notwithstanding anything contained in such law, such
requirement shall be deemed to have been satisfied, if such
21

79 | P a g e
information or matter is authenticated by means of electronic

signature22 affixed in such manner as may be prescribed by the
Central Government.
Explanation- For the purposes of this section, "signed", with its
grammatical variations and cognate expressions, shall, with
reference to a person, means affixing of his hand written
signature or any mark on any document and the expression
"signature" shall be construed accordingly.
6. Use of electronic records and digital signatures in
Government and its agencies.
(1) Where any law provides for(a) the filing of any form, application or any other
document with any office, authority, body for agency
owned or controlled by the appropriate Government in
a particular manner;
(b) the issue or grant of any licence, permit, sanction or
approval by whatever name called in a particular
manner;
(c) the receipt or payment of money in a particular
manner;
then, notwithstanding anything contained in any other law for
the time being in force, such requirement shall be deemed to
have been satisfied if such filing, issue, grant, receipt or
payment, as the case be, is effected by means of such electronic
form as may be prescribed by the appropriate Government.
22

80 | P a g e
(2) The appropriate Government may, for the purposes of subsection (1), by rules, prescribe(a) the manner and format in which such electronic
records shall be filed, created or issued;
(b) the manner or method of payment of any fee or
charges for filing, creation or issue any electronic
record under clause (a).
6A. Delivery of services by service provider.23
(1) The appropriate Government may, for the purposes of this
Chapter and for efficient delivery of services to the public
through electronic means authorise, by order, any service
provider to set up, maintain and upgrade the computerized
facilities and perform such other services as it may specify by
notification in the Official Gazette.
Explanation For the purposes of this section, service provider
so authorised includes any individual, private agency, private
company, partnership firm, sole proprietor firm or any such
other body or agency which has been granted permission by
the appropriate Government to offer services through
electronic means in accordance with the policy governing such
service sector.
(2) The appropriate Government may also authorise any
service provider authorised under sub-section (1) to collect,
retain and appropriate such service charges, as may be
prescribed by the appropriate Government for the purpose of
providing such services, from the person availing such service.
23
81 | P a g e
(3) Subject to the provision of sub-section (2), the appropriate

Government may authorise the service providers to collect,
retain and appropriate service charges under this section
notwithstanding the fact that there is no express provision
under the Act, rule, regulation or notification under which the
service is provided to collect, retain and appropriate e-service
charges by the service providers.
(4) The appropriate Government shall, by notification in the
Official Gazette, specify the scale of service charges which may
be charged and collected by the service providers under this
section:
Provided that the appropriate Government may specify
different scale of service charges for different types of services.
7. Retention of electronic records.(1) Where any law provides that documents, records or
information shall be retained for any specific period, then, that
requirement shall be deemed to have been satisfied if such
documents, records or information are retained in the
electronic form, if(a) the information contained therein remains
accessible so as to be usable for a subsequent
reference;
(b) the electronic record is retained in the format in
which it was originally generated, sent or received or in
a format which can be demonstrated to represent
accurately the information originally generated, sent or
received;
82 | P a g e
(c) the details which will facilitate the identification of

the origin, destination, date and time of despatch or
receipt of such electronic record:
Provided that this clause does not apply to any information
which is automatically generated solely for the purpose of
enabling an electronic record to be despatched or received.
(2) Nothing in this section shall apply to any law that expressly
provides for the retention of documents, records or
information in the form of electronic records.
7A. Audit of documents, etc., maintained in electronic
form.-24
Where in any law for the time being in force, there is a
provision for audit of documents, records or information, that
provision shall also be applicable for audit of documents,
records or information processed and maintained in the
electronic form.
8. Publication of rule, regulation, etc., in Electronic
Gazette.Where any law provides that any rule, regulation, order, byelaw, notification or any other matter shall be published in the
Official Gazette, then, such requirement shall be deemed to
have been satisfied if such rule, regulation, order, bye-law,
notification or any other matter is published in the Official
Gazette or Electronic Gazette:
Provided that where any rule, regulation, order, by-law,
notification or any other matter is published in the Official
24
83 | P a g e
Gazette or Electronic Gazette, the date of publication shall be

deemed to be the date of the Gazette which was first published
in any form.
9. Section 6, 7 and 8 not to confer right to insist document
should be accepted in electronic form.Nothing contained in section 6, 7 and 8 shall be confer a right
upon any person to insist that any Ministry or Department of
the Central Government or the State Government or any
authority or body established by or under any law or
controlled or funded by the Central or State Government
should accept, issue, create, retain and preserve any document
in the form of electronic records or effect any monetary
transaction in the electronic form.
10. Power to make rules by Central Government in respect
of electronic signature25.The Central Government may, for the purposes of this Act, by
rules, prescribe(a) the type of electronic signature26;
(b) the manner and format in which the electronic signature27
shall be affixed;
25
26
27

84 | P a g e
(c) the manner or procedure which facilitates identification of

the person affixing the electronic signature28;
(d) control processes and procedures to ensure adequate
integrity, security and confidentiality of electronic records or
payments; and
(e) any other matter which is necessary to give legal effect to
electronic signatures29.
10A. Validity of contracts formed through electronic
means.-30
Where in a contract formation, the communication of
proposals, the acceptance of proposals, the revocation of
proposals and acceptances, as the case may be, are expressed
in electronic form or by means of an electronic record, such
contract shall not be deemed to be unenforceable solely on the
ground that such electronic form or means was used for that
purpose.
CHAPTER IV
ATTRIBUTION, ACKNOWLEDGEMENT AND
DESPATCH OF ELECTRONIC RECORDS
28
29
30
85 | P a g e
11. Attribution of electronic records.An electronic record shall be attributed to the originator,(a) if it was sent by the originator himself;
(b) by a person who had the authority to act on behalf of the
originator in respect of that electronic record; or
(c) by any information system programmed by or on behalf of
the originator to operate automatically.
12. Acknowledge of receipt.(1) Where the originator has not stipulated31 that the
acknowledgement of receipt of electronic record be given in a
particular form or by a particular method, an
acknowledgement may be given by(a) any communication by the addressee, automated or
otherwise; or
(b) any conduct of the addressee, sufficient to indicate
to the originator that the electronic record has been
received.
(2) Where the originator has stipulated that the electronic
record shall be binding only on receipt of an acknowledgement
of such electronic record by him, then unless acknowledgement
has been so received, the electronic record shall be deemed to
have been never sent by the originator.
31
The word stipulated substituted for the words agreed with the addressee by
86 | P a g e
(3) Where the originator has not stipulated that the electronic
record shall be binding only on receipt of such
acknowledgment, and the acknowledgement has not been
received by the originator within the time specified or agreed
or, if no time has been specified or agreed to within a
reasonable time, then the originator may give notice to the
addressee stating that no acknowledgement has been received
by him and specifying a reasonable time by which the
acknowledgement must be received by him and if no
acknowledgement is received within the aforesaid time limit he
may after giving notice to the addressee, treat the electronic
record as though it has never been sent.
13. Time and place of desptach and receipt of electronic
record.
(1) Save as otherwise agreed to between the originator and the
addressee, the despatch of an electronic record occurs when it
enters a computer resources outside the control of the
originator.
(2) Save as otherwise agreed between the originator and the
addressee, the time of receipt of an electronic record shall be
determined as follows, namely:(a) if the addressee has designated a computer
resource for the purpose of receiving electronic
record,(i) receipt occurs at the time when the
electronic record enters the designated
computer resources; or
87 | P a g e
(ii) if the electronic record is sent to a computer

resource of the addressee that is not the
designated computer resource, receipt occurs at
the time when the electronic record is retrieved
by the addressee;
(b) if the addressee has not designated a computer
resource along with specified timings, if any, receipt
occurs when the electronic record enters the computer
resource of the addressee.
(3) Save as otherwise agreed to between the originator and the
addressee, an electronic record is deemed to be despatched at
the place where the originator has his place of business, and is
deemed to be received where the addressee has his place of
business.
(4) The provisions of sub-section (2) shall apply
notwithstanding that the place where the computer resource is
located may be different from the place where the electronic
record is deemed to have been received under sub-section (3).
(5) For the purpose of this section.(a) if the originator or the addressee has more than one
place of business, the principal place of business, shall
be the place of business;
(b) if the originator or the addressee does not have a
place of business, his usual place of residence shall be
deemed to be the place of business;
(c)"usual place of residence ", in relation to a body
corporate, means the place where it is registered.
88 | P a g e
CHAPTER V
SECURE ELECTRONIC RECORDS AND SECURE
ELECTRONIC32 SIGNATURES33
14. Secure electronic record.Where any security procedure has been applied to an
electronic record at a specific point of time, then such record
shall be deemed to be a secure electronic record from such
point of time to the time of verification.
15. Secure electronic signature.-34
An electronic signature shall be deemed to be a secure
electronic signature if
(i) the signature creation data, at the time of affixing signature,
was under the exclusive control of signatory and no other
person; and
32

33
Also refer to Information Technology (Security Procedure) Rules 2004.
34
Substituted by Information Technology (Amendment) Act, 2008 for 15. Secure
digital signature.- If, by application of a security procedure agreed to by the
parties concerned, it can be verified that a digital signature, at the time it was
affixed, was (a) unique to the subscriber affixing it; (b) capable of identifying
such subscriber; (c) created in a manner or using a means under the exclusive
control of the subscriber and is linked to the electronic record to which related in
such a manner that if the electronic record was altered the digital signature would
be invalidated, then such digital signature shall be deemed to be a secure digital
signature
89 | P a g e
(ii) the signature creation data was stored and affixed in such
exclusive manner as may be prescribed.
Explanation. In case of digital signature, the signature
creation data means the private key of the subscriber.
16. Security procedures and practices.-35
The Central Government may, for the purposes of sections 14
and 15, prescribe the security procedures and practices:
Provided that in prescribing such security procedures and
practices, the Central Government shall have regard to the
commercial circumstances, nature of transactions and such
other related factors as it may consider appropriate.
CHAPTER VI
REGULATION OF CERTIFYING AUTHORITIES
17. Appointment of Controller and other officers.
35
Substituted by Information Technology (Amendment) Act, 2008 for 16.

Security procedure.- The Central Government shall for the purpose of this Act
prescribe the security procedure having regard to commercial circumstances
prevailing at the time when the procedure was used, including- (a) the nature of
the transaction; (b) the level of sophistication of the parties with reference to their
technological capacity; (c) the volume of similar transactions engaged in by other
parties; (d) the availability of alternatives offered to but rejected by any party; (e)
the cost of alternative procedures; and (f) the procedures in general use for similar
types of transaction or communications.
90 | P a g e

Gazette, appoint a Controller of Certifying Authorities for the
purposes of this Act and may, also by the same or subsequent
notification appoint such number of Deputy Controllers,
Assistant Controllers, other officers and employees36 as it
deems fit.
(2) The Controller shall discharge his functions under this Act
subject to the general control and directions of the Central
Government.
(3) The Deputy Controllers and Assistant Controllers shall
perform the functions assigned to them by the Controller under
the general superintendence and control of the Controller.
(4) The qualifications, experience and terms and conditions of

service of Controller, Deputy Controllers, Assistant Controllers,
other officers and employees 37 shall be such as may be
prescribed by the Central Government.
(5) The Head Office and Branch Officer of the office of the
Controller shall be at such places as the Central Government
may specify, and these may be established at such places as the
Central Government may think fit.
(6) There shall be a seal of the Office of the Controller.
36
The words and Assistant Controllers substituted for the words Assistant
Controllers, other officers and employees by Information Technology
37
The words and Assistant Controllers substituted for the words Assistant
Controllers, other officers and employees by Information Technology
91 | P a g e
18. Functions of Controller.

The Controller may perform all or any of the following function,
namely:(a) exercising supervision over the activities of Certifying
Authorities;
(b) certifying public keys of the Certifying Authorities;
(c) laying down the standards to be maintained by Certifying
Authorities;
(d) specifying the qualifications and experience which
employees of the Certifying Authorities should possess;
(e) specifying the conditions subject to which the Certifying
Authority shall conduct their business;
(f) specifying the contents of written, printed or visual
materials and advertisements that may be distributed or used
in respect of a Electronic Signature38 Certificate and the public
key;
(g) specifying the form and content of a Electronic Signature39
Certificate and the key;
(h) specifying the form and manner in which accounts shall be
maintained by the Certifying Authorities;
38

39

92 | P a g e
(i) specifying the terms and conditions subject to which

auditors may be appointed and the remuneration to be paid to
them;
(j) facilitating the establishment of any electronic system by a
Certifying Authority either solely or jointly with other
Certifying Authorities and regulation of such systems;
(k) specifying the manner in which the Certifying Authorities
shall conduct their dealings with the subscribers;
(l) resolving any conflict of interests between the Certifying
Authorities and the subscribers;
(m) laying down the duties of the Certifying Authorities;
(n) maintaining a data base containing the disclosure record of
every Certifying Authority containing such particulars as may
be specified by regulations, which shall be accessible to public.
19. Recognition of foreign Certifying Authorities.
(1) Subject to such conditions and restrictions as may be
specified, by regulations, the Controller may, with the previous
approval of the Central Government, and by notification in the
Official Gazette, recognise any foreign Certifying Authority as a
Certifying Authority for the purposes of this Act.
(2) Where any Certifying Authority is recognised under subsection (1), the Electronic Signature40 Certificate issued by such
Certifying Authority shall be valid for the purposes of this Act.
40

93 | P a g e
(3) The Controller may, if he is satisfied that any Certifying

Authority has contravened any of the conditions and
restrictions subject to which it was granted recognition under
sub-section (1), he may, for reasons to be recorded in writing,
by notification in the Official Gazette, revoke such recognition.
20. Omitted by Information Technology (Amendment) Act,
200841
21. Licence to issue Electronic Signature42 Certificates.
(1) Subject to the provisions of sub-section (2), any person
may make an application, to the Controller, for a licence to
issue Electronic Signature43 Certificates.
(2) No licence shall be issued under sub-section (1), unless the
applicant fulfills such requirements with respect to
qualification, expertise, manpower, financial resources and
other infrastructure facilities, which are necessary to issue
Electronic Signature44 Certificates as may be prescribed by the
Central Government.
41
Controller to act as repository. (1) The Controller shall be the repository of all
Digital Signature Certificates issued under this Act. (2) The Controller shall- (a)
make use of hardware, software and procedures that are secure from intrusion and
misuse; (b) observe such other standards as may be prescribed by the Central
Government; to ensure that the secrecy and security of the digital signatures are
assured. (3) The Controller shall maintain a computerised data base of all public
keys in such a manner that such data base and the public keys are available to any
member of the public.
42
43

94 | P a g e
(3) A licence granted under this sections shall(a) be valid for such period as may be prescribed by the
Central Government;
(b) not be transferable or heritable;
(c) be subject to such terms and conditions as may be
specified by the regulations.
22. Application for licence45.
(1) Every application for issue of a licence shall be in such form
as may be prescribed by the Central Government.
(2) Every application for issue of a licence shall be
accompanied by(a) a certification practice statement;
(b) a statement including the procedures with respect
to identification of the applicant;
(c) payment of such fees, not exceeding twenty-five

thousand rupees as may be prescribed by the Central
Government;
44

45
Also refer to Circular No. 1/2001 dated 9th July 2001 titled GUIDELINES
FOR SUBMISSION OF APPLICATION FOR LICENCE TO OPERATE AS A
CERTIFYING AUTHORITY UNDER THE IT ACT, 2000 issued by Office of
Controller of Certifying Authorities.
95 | P a g e
(d) such other documents, as may be prescribed by the

Central Government.
23. Renewal of licence
(a) in such form;
(b) accompanied by such fees, not exceeding five
thousand rupees,
as may be prescribed by the Central Government and
shall be made not less than forty-five days before the
date of expiry of the period of validity of the licence.
24. Procedure for grant or rejection of licence.The Controller may, on receipt of an application under subsection (1) of section 21, after considering the documents
accompanying the application and such other factors, as he
deems fit, grant the licence or reject the application:
Provided that no application shall be rejected under this
section unless the applicant has been given a reasonable
opportunity of presenting his case.
25. Suspension of licence.
(1) The Controller may, if he is satisfied after making such
inquiry, as he may think fit, that a Certifying Authority has,(a) made a statement in, or in relation to, the
application for the issue or renewal of the licence,
which is incorrect or false in material particulars;
(b) failed to comply with the terms and conditions
subject to which the licence was granted;
96 | P a g e
(c) failed to maintain the procedures and standards

specified in section 3046.
(d) contravened any provisions of this Act, rule,
regulation or order made thereunder,
revoke the licence:
Provided that no licence shall be revoked unless the Certifying
Authority has been given a reasonable opportunity of showing
cause against the proposed revocation.
(2) The Controller may, if he has reasonable cause to believe
that there is any ground for revoking a licence under subsection (1), by order suspend such licence pending the
completion of any inquiry ordered by him:
Provided that no licence shall be suspended for a period
exceeding ten days unless the Certifying Authority has been
given a reasonable opportunity of showing cause against the
proposed suspension:
(3) No Certifying Authority whose licence has been suspended
shall issue any Electronic Signature47 Certificate during such
suspension.
26. Notice of suspension or revocation of licence.-
46
Substituted for the words (c) failed to maintain the standards specified under
clause (b) of sub-section (2) of section 20; by Information Technology (Removal
of Difficulties) Order, 2002
47

97 | P a g e
(1) Where the licence of the Certifying Authority is suspended

or revoked, the Controller shall publish notice of such
suspension or revocation, as the case may be, in the data base
maintained by him.
(2) Where one or more repositories are specified, the
Controller shall publish notices of such suspension or
revocation, as the case may be, in all such repositories:
Provided that the data base containing the notice of such
suspension or revocation, as the case may be, shall be made
available through a web site which shall be accessible round
the clock:
Provided further that the Controller may, if he considers
necessary, publicise the contents of data base in such electronic
or other media, as he may consider appropriate.
27. Power to delegate
The Controller may, in writing, authorise the Deputy
Controller, Assistant Controller or any officer to exercise any of
the powers of the Controller under this Chapter.
28. Power to investigate contraventions.
(1) The Controller or any officer authorised by him in this
behalf shall take up for investigation any contravention of the
provisions of this Act, rules or regulations made thereunder.
(2) The Controller or any officer authorised by him in this
behalf shall exercise the like powers which are conferred on
Income-tax authorities under Chapter XIII of the Income-tax
Act, 1961, (43 of 1961), and shall exercise such powers, subject
to such limitations laid down under that Act.
98 | P a g e
29. Access to computers and data.

(1) Without prejudice to the provisions of sub-section (1) of
section 69, the Controller or any person authorised by him
shall, if he has reasonable cause to suspect that any
contravention of the provisions of this Chapter48 has been
committed, have access to any computer system, any
apparatus, data or any other material connected with such
system, for the purpose of searching or causing a search to be
made for obtaining any information or data contained in or
available to such computer system.
(2) For the purposes of sub-section (1), the Controller or any
person authorised by him may, by order, direct any person
incharge of, or otherwise concerned with the operation of, the
computer system, data apparatus or material, to provide him
with such reasonable technical and other assistance as he may
consider necessary.
30. Certifying Authority to follow certain procedures.Every Certifying Authority shall,(a) make use of hardware, software, and procedures
that the secure from intrusion and misuse;
(b) provide a reasonable level of reliability in its
services which are reasonably suited to the
performance of intended functions;
48
The words any contravention of the provisions of this Chapter substituted for
any contravention of the provisions of this Act, rules or regulations made
thereunder by Information Technology (Amendment) Act, 2008.
99 | P a g e
(c) adhere to security procedures to ensure that the

secrecy and privacy of the electronic signatures49 are
assured;
(ca) be the repository of all Electronic Signature
Certificates issued under this Act;50
(cb) publish information regarding its practices,
Electronic Signature Certificates and current status of
such certificates; and51
(d) observe such other standards as may be specified
by regulations.
31. Certifying Authority to ensure compliance of the Act,
etc.Every Certifying Authority shall ensure that every person
employed or otherwise engaged by it complies, in the course of
his employment or engagement, with the provisions of this Act,
rules, regulations and orders made thereunder.
32. Display of licence.Every Certifying Authority shall display its licence at a
conspicuous place of the premises in which it carries on its
business.
33. Surrender of licence.
49

50
51
100 | P a g e
(1) Every Certifying Authority whose licence is suspended or

revoked shall immediately after such suspension or revocation,
surrender the licence to the Controller.
(2) Where any Certifying Authority fails to surrender a licence
under sub-section (1), the person in whose favour a licence is
issued, shall be guilty of an offences and shall be punished with
imprisonment which may extend upto six months or a fire
which may extend upto ten thousand rupees or with both.
34. Disclosure.
(1) Every Certifying Authority shall disclose in the manner
specified by regulations(a) its Electronic Signature52 Certificate; 53
(b) any certification practice statement relevant
thereto;
(c) notice of the revocation or suspension of its
Certifying Authority Certificate, if any; and
(d) any other fact that materially and adversely affects
either the reliability of a Electronic Signature54
Certificate, which that Authority has issued, or the
Authoritys ability to perform its services.
52
53
The words which contains the public key corresponding to the private key used
by that Certifying Authority to digitally sign another Digital Signature Certificate
omitted by Information Technology (Amendment) Act, 2008.
54
101 | P a g e
(2) Where in the opinion of the Certifying Authority any event

has occurred or any situation has arisen which may materially
and adversely affect the integrity of its computer system or the
conditions subject to which a Electronic Signature55 Certificate
was granted, then, the Certifying Authority shall(a) use reasonable efforts to notify any person who is
likely to be affected by that occurrence: or
(b) act in accordance with the procedure specified in its
certification practice statement to deal with such event
or situation.
CHAPTER VII
ELECTRONIC SIGNATURE56 CERTIFICATES
35. Certifying Authority to issue Electronic Signature57
Certificate.
(1) Any person may make an application to the Certifying
Authority for the issue of a Electronic Signature Certificate in
such form as may be prescribed by the Central Government.
55
56
57

102 | P a g e
(2) Every such application shall be accompanied by such fee

not exceeding twenty-five thousand rupees as may be
prescribed by the Central Government, to be paid to the
Certifying Authority:
Provided that while prescribing fees under sub-section (2)
different fees may be prescribed for different classes of
applicants.
(3) Every such application shall be accompanied by a
certification practice statement or where there is no such
statement, a statement containing such particulars, as may be
specified by regulations58.
(4) On receipt of an application under sub-section (1), the
Certifying Authority may, after consideration of the
certification practice statement or the other statement under
sub-section (3) and after making such enquiries as it may deem
fit, grant the Electronic Signature Certificate or for reasons to
be recorded in writing, reject the application:
Provided that no Electronic Signature Certificate shall be
granted unless the Certifying Authority is satisfied that(a) omitted by Information Technology (Amendment)
Act, 2008. 59
58
Also refer to Executive Order dated 12th September, 2002 which states inter alia
that For the purpose of sub-sections (3) and (4) of Section 35 of the Information
Technology Act, 2000. every application for the issue of a Digital Signature
Certificate shall not be required to be accompanied by a certificate practice
statement as required under the said sub-sections.
59
(a) the applicant holds the private key corresponding to the public key to be
listed in the Digital Signature Certificate;
103 | P a g e
(b) the applicant holds a private key, which is capable

of creating a electronic signature;
(c) the public key to be listed in the certificate can be
used to verify a electronic signature affixed by the
private key held by the applicant:
Provided that no application shall be rejected unless the
applicant has been given a reasonable opportunity of showing
cause against the proposed rejection.
36. Representations upon issuance of Digital Signature
Certificate.
A Certifying Authority while issuing a Digital Signature
Certificate shall certify that(a) it has complied with the provisions of this Act and
the rules and regulations made thereunder;
(b) it has published the Digital Signature Certificate or
otherwise made it available to such person relying on it
and the subscriber has accepted it;
(c) the subscriber holds the private key corresponding
to the public key, listed in the Digital Signature
Certificate;
(ca) the subscriber holds a private key which is capable
of creating a digital signature;60
60
104 | P a g e
(cb) the public key to be listed in the certificate can be

used to verify a digital signature affixed by the private
key held by the subscriber;61
(d) the subscribers public key and private key
constitute a functioning key pair;
(e) the information contained in the Digital Signature
Certificate is accurate; and
(f) it has no knowledge of any material fact, which if it
had been included in the Digital Signature Certificate
would adversely affect the reliability of the
representations made in clauses (a) to (d).
37. Suspension of Digital Signature Certificate.
(1) Subject to the provisions of sub-section (2), the
Certifying Authority which has issued a Digital
Signature Certificate may suspend such Digital
Signature Certificate,(a) on receipt of a request to that effect from(i) the subscriber listed in the Digital Signature
Certificate; or
(ii) any person duly authorised to act on behalf
of that subscriber;
(b) if it is of opinion that the Digital Signature
Certificate should be suspended in public interest.
61
105 | P a g e
(2) A Digital Signature Certificate shall not be suspended for a

period exceeding fifteen days unless the subscriber has been
given an opportunity of being heard in the matter.
(3) On suspension of a Digital Signature Certificate under this
section, the Certifying Authority shall communicate the same to
the subscriber.
38. Revocation of Digital Signature Certificate.
(1) A Certifying Authority may revoke a Digital Signature
Certificate issued by it(a) where the subscriber or any other person
authorised by him makes a request to that effect; or
(b) upon the death of the subscriber; or
(c) upon the dissolution of the firm or winding up of the
company where the subscriber is a firm or a company.
(2) Subject to the provisions of sub-section (3) and without
prejudice to the provisions of sub-section (1), a Certifying
Authority may revoke a Digital Signature Certificate which has
been issued by it at any time, if it is of opinion that(a) a material fact represent in the Digital Signature
Certificate is false or has been concealed;
(b) a requirement for issuance of the Digital Signature
Certificate was not satisfied;
(c) the Certifying Authoritys private key or security
system was compromised in a manner materially
affecting the Digital Signature Certificates reliability;
106 | P a g e
(d) the subscriber has been declared insolvent or dead

or where a subscriber is a firm or a company, which has
been dissolved, wound-up or otherwise ceased to exist.
(3) A Digital Signature Certificate shall not be revoked unless
the subscriber has been given an opportunity of being heard in
the matter.
(4) On revocation of a Digital Signature Certificate under this
section, the Certifying Authority shall communicate the same to
the subscriber.
39. Notice of suspension or revocation62.
(1) Where a Digital Signature Certificate is suspended or
revoked under section 37 or section 38, the Certifying
Authority shall publish a notice of such suspension or
revocation, as the case may be, in the repository specified in
the Digital Signature Certificate for publication of such notice.
(2)Where one or more repositories are specified, the Certifying
Authority shall publish notices of such suspension or
revocation, as the case may be, in all such repositories.
CHAPTER VIII
DUTIES OF SUBSCRIBERS
62
Also refer to Circular No. 1/2002 dated 16th December 2002 titled
GUIDELINES FOR SUBMISSION OF CERTIFICATES AND CRLS TO THE
CCA FOR PUBLISHING IN NRDC BY CERTIFYING AUTHORITIES issued
by Office of Controller of Certifying Authorities.
107 | P a g e
40. Generating key pair.Where any Digital Signature Certificate, the public key of which
corresponds to the private key of that subscriber which is to be
listed in the Digital Signature Certificate has been accepted by a
subscriber, the subscriber shall generate that key pair by
applying the security procedure63.
40A. Duties
Certificate.-
of
subscriber
of
Electronic
Signature
In respect of Electronic Signature Certificate the subscriber

shall perform such duties as may be prescribed.64
41. Acceptance of Digital Signature Certificate.
(1) A subscriber shall deemed to have accepted a Digital
Signature Certificate if he publishes or authorises the
publication of a Digital Signature Certificate(a) to one or more persons;
(b) in a repository; or
otherwise demonstrates his approval of the Digital Signature
Certificate in any manner.
63
Substituted for 40. Where any Digital Signature Certificate, the public key of
which corresponds to the private key of that subscriber which is to be listed in the
Digital Signature Certificate has been accepted by a subscriber, then, the
subscriber shall generate the key pair by applying the security procedure. by
Information Technology (Removal of Difficulties) Order, 2002.
64
108 | P a g e
(2) By accepting a Digital Signature Certificate the subscriber

certifies to all who reasonable rely on the information
contained in the Digital Signature Certificate that
(a) the subscriber holds the private key corresponding
to the public key listed in the Digital Signature
Certificate and is entitled to h old the same;
(b) all representations made by the subscriber to the
Certifying Authority and all material relevant to the
information contained in the Digital Signature
Certificate are true;
(c) all information in the Digital Signature Certificate
that is within the knowledge of the subscriber is true.
42. Control of private key.
(1) Every subscriber shall exercise reasonable care to retain
control of the private key corresponding to the public key
listed in his Digital Signature Certificate and take all steps to
prevent its disclosure65.
(2) If the private key corresponding to the public key listed in
the Digital Signature Certificate has been compromised, then,
the subscriber shall communicate the same without any delay
to the Certifying Authority in such manner as may be specified
by the regulations.
65
Substituted for (1) Every subscriber shall exercise reasonable care to retain
control of the private key corresponding to the public key listed in his Digital
Signature Certificate and take all steps to prevent its disclosure to a person not
authorised to affix the digital signature of the subscriber. by Information
Technology (Removal of Difficulties) Order, 2002.
109 | P a g e
Explanation.- For removal of doubts, it is hereby declared that

the subscriber shall be liable till he has informed the certifying
Authority that the private key has been compromised.
CHAPTER IX
PENALITIES, COMPENSATION AND
ADJUDICATION 66
43. Penalty and compensation67 for damage to computer,
computer system, etc.If any person without permission of the owner or any other
person who is in charge of a computer, computer system or
computer network,(a) accesses or secures access to such computer,
computer system or computer network or computer
resource68;
(b) downloads, copies or extracts any data, computer
data base or information from such computer,
computer system or computer network including
66
The words PENALITIES, COMPENSATION AND ADJUDICATION
substituted for PENALTIES AND ADJUDICATION by Information
Technology (Amendment) Act, 2008.
67
The words and Compensation inserted by Information Technology

68
The words or computer resource inserted by Information Technology

110 | P a g e
information or data held or stored in any removable

storage medium.
(c) introduces or causes to be introduced any computer
contaminant or computer virus into any computer,
computer system or computer network;
(d) damages or causes to be damaged and computer,
computer system or computer network, data, computer
data base or any other programmes residing in such
computer, computer system or computer network;
(e) disrupts or causes disruption of any computer,
(f) denies or causes the denial of access to any person
authorised to access any computer, computer system or
computer network by any means;
(g) provides any assistance to any person to facilitate
access to a computer, computer system or computer
network in contravention of the provisions of this Act,
rules or regulations made thereunder;
(h) charges the services availed of by a person to the
account of another person by tampering with or
manipulating any computer, computer system or
compute network,
(i) destroys, deletes or alters any information residing
in a computer resource or diminishes its value or utility
or affects it injuriously by any means;69
69
111 | P a g e
(j) steal, conceals, destroys or alters or causes any

person to steal, conceal, destroy or alter any computer
source code used for a computer resource with an
intention to cause damage;70
he shall be liable to pay damages by way of compensation to
the person so affected. 71
Explanation. -For the purposes of this section,(i) "computer contaminant" means any set of computer
instructions that are designed
(a) to modify, destroy, record, transmit data or
programme residing within a computer,
computer system or computer network; or
(b) by any means to usurp the normal operation
of the computer, computer system, or computer
network;
(ii) "computer data base" means a representation of
information, knowledge, facts, concepts or instructions
in text, image, audio, video that are being prepared or
have been prepare in a formalised manner or have been
produced by a computer, computer system or computer
network and are intended for use in a computer,
70
71
The words he shall be liable to pay damages by way of compensation to the
person so affected substituted for he shall be liable to pay damages by way of
compensation not exceeding one crore rupees to the person so affected.
112 | P a g e
(iii) "computer virus" means any computer instruction,

information, data or programme that destroys,
damages, degrades adversely affects the performance
of a computer resource or attaches itself to another
computer resource and operates when a programme,
data or instruction is executed or some other event
takes place in that computer resource;
(iv) "damage" means to destroy, alter, delete, add,
modify or re-arrange any computer resource by any
means.
(v) computer source code means the listing of
programmes, computer commands, design and layout
and programme analysis of computer resource in any
form.72
43 A. Compensation for failure to protect data.-73
Where a body corporate, possessing, dealing or handling any
sensitive personal data or information in a computer resource
which it owns, controls or operates, is negligent in
implementing and maintaining reasonable security practices
and procedures and thereby causes wrongful loss or wrongful
gain to any person, such body corporate shall be liable to pay
damages by way of compensation to the person so affected.
72
73
Inserted by Information Technology (Amendment) Act, 2008. Information

Technology (Reasonable security practices and procedures and sensitive personal
data or information) Rules, 2011 passed. These rules define sensitive personal
data or information and form the crux of India's data privacy law. Press notes
clarifying issues under this were issued by the Government on 10 May 2011 and
24 August 2011.
113 | P a g e
Explanation For the purposes of this section,(i)

body corporate means any company and includes a
firm, sole proprietorship or other association of individuals
engaged in commercial or professional activities;
(ii)
reasonable security practices and procedures means
security practices and procedures designed to protect such
information from unauthorised access, damage, use,
modification, disclosure or impairment, as may be specified in
an agreement between the parties or as may be specified in any
law for the time being in force and in the absence of such
agreement or any law, such reasonable security practices and
procedures, as may be prescribed by the Central Government
in consultation with such professional bodies or associations as
it may deem fit;
(iii)
sensitive personal data or information means such
personal information as may be prescribed by the Central
Government in consultation with such professional bodies or
associations as it may deem fit.
44. Penalty for failure to furnish information, return, etc.If any person who is required under this Act or any rules or
regulations made thereunder to(a) furnish any document, return or report to the
Controller or the Certifying Authority fails to furnish
the same, he shall be liable to a penalty not exceeding
one lakh and fifty thousand rupees for each such
failure;
(b) file any return or furnish any information, books or
other documents within the time specified therefore in
114 | P a g e
the regulations fails to file return or furnish the same

within the time specified therefore in the regulations,
he shall be liable to a penalty not exceeding five
thousand rupees for every day during which such
failure continues;
(c) maintain books of account or records, fails to
maintain the same, he shall be liable to a penalty no
exceeding ten thousand rupees for every day during
which the failure continues.
45. Residuary penalty.Whoever contravenes any rules or regulations made under this
Act, for the contravention of which no penalty has been
separately provided, shall be liable to pay a compensation not
exceeding twenty-five thousand rupees to the person affected
by such contravention or a penalty not exceeding twenty-five
thousand rupees.
46. Power to adjudicate.
(1) For the purpose of adjudging under this Chapter whether
any person has committed a contravention of any of the
provisions of this Act or of any rule, regulation, direction or
order made thereunder which renders him liable to pay
penalty or compensation,74 the Central Government shall,
subject to the provisions of sub-section (3), appoint any officer
not below the rank of a Director to the Government of India or
an equivalent officer of a State Government to be an
74
The words direction or order made thereunder which renders him liable to pay
penalty or compensation, substituted for the words direction or order made
thereunder by Information Technology (Amendment) Act, 2008.
115 | P a g e
adjudicating officer for holding an inquiry in the manner

prescribed by the Central Government75.
(1A) The adjudicating officer appointed under sub-section (1)
shall exercise jurisdiction to adjudicate matters in which the
claim for injury or damage does not exceed rupees five crore:
Provided that the jurisdiction in respect of the claim for injury
or damage exceeding rupees five crore shall vest with the
competent court.76
(2) The adjudicating officer shall, after giving the person
referred to in sub-section (1) a reasonable opportunity for
making representation in the matter and if, on such inquiry, he
is satisfied that the person has committed the contravention,
he may impose such penalty or award such compensation as he
thinks fit in accordance with the provisions of that section.
(3) No person shall be appointed as an adjudicating officer
unless he possesses such experience in the filed of Information
Technology and legal or judicial experience as may be
prescribed by the Central Government.
(4) Where more than one adjudicating officers are appointed,
the Central Government shall specify by order the matters and
75
Refer to the Order dated 25th March 2003 [G.S.R.240(E)] which states inter alia
that the Secretary of Department of Information Technology of each of the States
or of Union Territories is hereby appointed as Adjudicating Officer for the
purposes of the Information Technology Act, 2000.
Also refer to Information Technology (Qualification and Experience of
Adjudicating Officers and Manner of Holding Enquiry) Rules, 2003 dated 17th
March 2003.
76
116 | P a g e
places with respect to which such officers shall exercise their

jurisdiction.
(5) Every adjudicating officer shall have the powers of a civil
court which are conferred on the Cyber Appellate Tribunal
under sub-section (2) of section 58, and(a) all proceedings before it shall be deemed to be
judicial proceedings within the meaning of section 193
and 228 of the Indian Penal Code;
(b) shall be deemed to be a civil court for the purpose
of section 345 and 346 of the Code of Criminal
Procedure, 1973
(c) shall be deemed to be a civil court for purposes of
Order XXI of the Civil Procedure Code, 1908.77
47. Factors to be taken into account by the adjudicating
officer.
While adjudging the quantum of compensation under this
Chapter, the adjudicating officer shall have due regard to the
following factors, namely:(a) the amount of gain of unfair advantage, wherever
quantifiable, made as a result of the default;
(b) the amount of loss caused to any person as a result
of the default;
(c) the repetitive nature of the default.
77
117 | P a g e
CHAPTER X
THE CYBER APPELLATE TRIBUNAL78
48. Establishment of Cyber Appellate Tribunal.
(1) The Central Government shall, by notification, establish one
or more appellate tribunals to be known as the Cyber Appellate
Tribunal.
(2) The Central Government shall also specify, in the
notification referred to in sub-section (1), the matters and
places in relation to which the Cyber Appellate Tribunal may
exercise jurisdiction.
49. Composition of Cyber Appellate Tribunal.-79
(1) The Cyber Appellate Tribunal shall consist of a
Chairperson and such number of other Members, as the Central
Government may, by notification in the official Gazette,
appoint:
Provided that the person appointed as the Presiding Officer of
the Cyber Appellate Tribunal under the provisions of this Act
immediately before the commencement of the Information
Technology (Amendment) Act, 2008 shall be deemed to have
78
Also refer to Cyber Regulations Appellate Tribunal (Procedure) Rules, 2000

and Cyber Regulations Appellate Tribunal (Salary, Allowances and other terms
and conditions of service of Presiding Officer) Rules, 2003.
79
Substituted by Information Technology (Amendment) Act, 2008 for A cyber

Appellate Tribunal shall consist of one person only (hereinafter referred to as the
Presiding Officer of the Cyber Appellate Tribunal) to be appointed, by
notification, by the Central Government.
118 | P a g e
been appointed as the Chairperson of the said Cyber Appellate

Tribunal under the provisions of this Act as amended by the
(2) The selection of Chairperson and Members of the Cyber
Appellate Tribunal shall be made by the Central Government in
consultation with the Chief Justice of India.
(3) Subject to the provisions of this Act
(a) the jurisdiction, powers and authority of the Cyber
Appellate Tribunal may be exercised by the Benches
thereof;
(b) a Bench may be constituted by the Chairperson of
the Cyber Appellate Tribunal with one or two Members
of such Tribunal as the Chairperson may deem fit;
(c) the Benches of the Cyber Appellate Tribunal shall sit
at New Delhi and at such other places as the Central
Government may, in consultation with the Chairperson
of the Cyber Appellate Tribunal, by notification in the
Official Gazette, specify;
(d) the Central Government shall, by notification in the
Official Gazette, specify the areas in relation to which
each Bench of the Cyber Appellate Tribunal may
exercise its jurisdiction.
(4) Notwithstanding anything contained in sub-section (3), the
Chairperson of the Cyber Appellate Tribunal may transfer a
Member of such Tribunal from one Bench to another Bench.
(5) If at any stage of the hearing of any case or matter it
appears to the Chairperson or a Member of the Cyber Appellate
119 | P a g e
Tribunal that the case or matter is of such a nature that it ought

to be heard by a Bench consisting of more Members, the case or
matter may be transferred by the Chairperson to such Bench as
the Chairperson may deem fit.
50. Qualifications for appointment as Chairperson and
Members of Cyber Appellate Tribunal. 80
(1) A person shall not be qualified for appointment as a
Chairperson of the Cyber Appellate Tribunal unless he is, or has
been, or is qualified to be, a Judge of a High Court.
(2) The Members of the Cyber Appellate Tribunal, except the
Judicial Member to be appointed under sub-section (3), shall be
appointed by the Central Government from amongst persons,
having special knowledge of, and professional experience in,
information
technology,
telecommunication,
industry,
management or consumer affairs:
Provided that a person shall not be appointed as a Member,
unless he is, or has been, in the service of the Central
Government or a State Government, and has held the post of
Additional Secretary to the Government of India or any
equivalent post in the Central Government or State
Government for a period of not less than one year or Joint
Secretary to the Government of India or any equivalent post in
the Central Government or State Government for a period of
not less than seven years.
80
Substituted by Information Technology (Amendment) Act, 2008 for A person

shall not be qualified for appointment as the Presiding Officer of a Cyber
Appellate Tribunal unless he- (a) is, or has been, or is qualified to be, a Judge of a
High Court; or (b) is, or has been a member of the Indian Legal Service and is
holding or has held a post in Grade I of that Service for at least three years.
120 | P a g e
(3) The Judicial Members of the Cyber Appellate Tribunal shall

be appointed by the Central Government from amongst
persons who is or has been a member of the Indian Legal
Service and has held the post of Additional Secretary for a
period of not less than one year or Grade I post of that Service
for a period of not less than five years.
51. Term of office, conditions of service, etc., of
Chairperson and Members. 81
(1) The Chairperson or Members of the Cyber Appellate
Tribunal shall hold office for a term of five years from the date
on which he enters upon his office or until he attains the age of
sixty-five years, whichever is earlier.
(2) Before appointing any person as the Chairperson or
Member of the Cyber Appellate Tribunal, the Central
Government shall satisfy itself that the person does not have
any such financial or other interest as is likely to affect
prejudicially his functions as such Chairperson or Member.
(3) An officer of the Central Government or State Government
on his selection as the Chairperson or Member of the Cyber
Appellate Tribunal, as the case may be, shall have to retire from
service before joining as such Chairperson or Member.
52. Salary, allowances and other terms and conditions of

service of Chairperson and Members.82
81
Substituted by Information Technology (Amendment) Act, 2008 for The
Presiding Officer of a Cyber Appellate Tribunal shall hold office for a term of five
years from the date on which he enters upon his office or until he attains the age
of sixty-five years, whichever is earlier.
121 | P a g e
The salary and allowances payable to, and the other terms and
conditions of service including pension, gratuity and other
retirement benefits of, the Chairperson or a Member of the
Cyber Appellate Tribunal shall be such as may be prescribed.
52A. Powers of superintendence, direction etc.83
The Chairperson of the Cyber Appellate Tribunal shall have
powers of general superintendence and directions in the
conduct of the affairs of that Tribunal and he shall, in addition
to presiding over the meetings of the Tribunal, exercise and
discharge such powers and functions of the Tribunal as may be
prescribed.
52B. Distribution of business among Benches.84
Where Benches are constituted, the Chairperson of the Cyber
Appellate Tribunal may, by order, distribute the business of
that Tribunal amongst the Benches and also the matters to be
dealt with by each Bench.
52C. Power of Chairperson to transfer cases. 85
82
Substituted by Information Technology (Amendment) Act, 2008 for The salary

and allowances payable to, and the other terms and conditions of service including
pension, gratuity and other retirement benefits of, the Presiding Officer of a Cyber
Appellate Tribunal shall be such as may be prescribed: Provided that neither the
salary and allowances nor the other terms and conditions of service of the
Presiding Officers shall be varied to his disadvantage after appointment.
83
84
85
122 | P a g e
On the application of any of the parties and after notice to the

parties, and after hearing such of them as he may deem proper
to be heard, or suo motu without such notice, the Chairperson
of the Cyber Appellate Tribunal may transfer any case pending
before one Bench, for disposal to any other Bench.
52D. Decision by majority. 86
If the Members of a Bench consisting of two Members differ in
opinion on any point, they shall state the point or points on
which they differ, and make a reference to the Chairperson of
the Cyber Appellate Tribunal who shall hear the point or points
himself and such point or points shall be decided according to
the opinion of the majority of the Members who have heard the
case, including those who first heard it..
53. Filling up of vacancies.
If, for reason other than temporary absence, any vacancy
occurs in the office of the Chairperson or Member87 of a Cyber
Appellate Tribunal, then the Central Government shall appoint
another person in accordance with the provisions of this Act to
fill the vacancy and the proceedings may be continued before
the Cyber Appellate Tribunal from the stage at which the
vacancy is filled.
54. Resignation and removal.
86
87
The words Chairperson or Member, as the case may be, substituted for
Presiding Officer by Information Technology (Amendment) Act, 2008.
123 | P a g e
(1) The Chairperson or Member88 of a Cyber Appellate

Tribunal may, by notice in writing under his hand addressed to
the Central Government, resign his office:
Provided that the said Chairperson or Member89 shall, unless
he is permitted by the Central Government to relinquish his
office sooner, continue to hold office until the expiry of three
months from the date of receipt of such notice or until a person
duly appointed as his successor enters upon his office or until
the expiry of his term of office, whichever is the earliest.
(2) The Chairperson or Member90 of a Cyber Appellate
Tribunal shall not be removed from his office except by an
order by the Central Government on the ground of proved
misbehaviour or incapacity after an inquiry made by a Judge of
the Supreme Court in which the Presiding Officer concerned
has been informed of the charges against him and given a
reasonable opportunity of being heard in respect of these
charges.
(3) The Central Government may, by rules, regulate the
procedure for the investigation of misbehaviour or incapacity
of the aforesaid Chairperson or Member91.
88
89
90
91
124 | P a g e
55. Orders constituting Appellate Tribunal to be final and

not to invalidate its proceedings.
No order of the Central Government appointing any person as
the Chairperson or Member92 of a Cyber Appellate Tribunal
shall be called in question in any manner and no act or
proceeding before a Cyber Appellate Tribunal shall be called in
question in any manner on the ground merely of any defect in
the constitution of Cyber Appellate Tribunal.
56. Staff of the Cyber Appellate Tribunal.
(1) The Central Government shall provide the Cyber Appellate
Tribunal with such officers and employees as that Government
may think fit.
(2) The officers and employees of the Cyber Appellate Tribunal
shall discharge their functions under general superintendence
of the Chairperson93.
(3) The salaries, allowances and other conditions of service of
the officers and employees of the Cyber Appellate Tribunal
shall be such as may be prescribed by the Central Government.
57. Appeal to Cyber Regulations Appellate Tribunal.
(1) Save as provided in sub-section (2), any person aggrieved
by an order made by controller or an adjudicating officer under
92
93
The words Chairperson substituted for Presiding Officer by Information

Technology (Amendment) Act, 2008.
125 | P a g e
this Act may prefer an appeal to a Cyber Appellate Tribunal

having jurisdiction in the matter.
(2) No appeal shall lie to the Cyber Appellate Tribunal from an
order made by an adjudicating officer with the consent of the
parties.
(3) Every appeal under sub-section (1) shall be filed within a
period of forty-five days from the date on which a copy of the
order made by the Controller or the adjudicating officer is
received by the person aggrieved and it shall be in such form
and be accompanied by such fee as may be prescribed:
Provided that the Cyber Appellate Tribunal may entertain an
appeal after the expiry of the said period of forty-five days if it
is satisfied that there was sufficient cause for not filing it within
that period.
(4) On receipt of an appeal under sub-section (1), the Cyber
Appellate Tribunal may, after giving the parties to the appeal,
an opportunity of being heard, pass such orders thereon as it
thinks fit, confirming, modifying or setting aside the order
appealed against.
(5) The Cyber Appellate Tribunal shall send a copy of every
order made by it to the parties to the appeal and to the
concerned controller or adjudicating officer.
(6) The appeal filed before the Cyber Appellate Tribunal under
sub-section (1) shall be dealt with by it as expeditiously as
possible and endeavour shall be made by it to dispose of the
appeal finally within six months from the date of receipt of the
appeal.
126 | P a g e
58. Procedure and powers of the Cyber Appellate Tribunal.
(1) The Cyber Appellate Tribunal shall not be bound by the

procedure laid down by the Code of Civil Procedure, 1908 (5 of
1908), but shall be guided by the principles of natural justice
and, subject to the other provisions of this Act and of any rules,
the Cyber Appellate Tribunal shall have powers to regulate its
own procedure including the place at which it shall have its
sittings.
(2) The Cyber Appellate Tribunal shall have, for the purposes
of discharging its functions under this Act, the same powers as
are vested in a civil court under the Code of Civil Procedure,
1908 (5 of 1908), while trying a suit, in respect of the following
matters, namely:(a) summoning and enforcing the attendance of any
person and examining him on oath;
(b) requiring the discovery and production of
documents or other electronic records;
(c) receiving evidence on affidavits;
(d) issuing commissions for the examination of
witnesses or documents;
(e) reviewing its decisions;
(f) dismissing an application for default or deciding it ex
parte;
(g) any other matter which may be prescribed.
127 | P a g e
(3) Every proceeding before the Cyber Appellate Tribunal shall

be deemed to be a judicial proceeding within the meaning of
section 193 and 228, and for the purposes of section 196 of the
Indian Penal Code(45 of 1860) and the Cyber Appellate
Tribunal shall be deemed to be a civil court for the purposes of
section 195 and Chapter XXVI of the Code of Criminal
Procedure, 1973 (2 of 1974).
59. Right to legal representation.
The appellant may either appear in person or authorise one or
more legal practitioners or any of its officers to present his or
its case before the Cyber Appellate Tribunal.
60. Limitation.
The provisions of the Limitation Act, 1963, (36 of 1963), shall,
as far as may be, apply to an appeal made to the Cyber
Appellate Tribunal.
61. Civil court not to have jurisdiction.
No court shall have jurisdiction to entertain any suit or
proceeding in respect of any matter which an adjudicating
officer appointed under this Act or the Cyber Appellate
Tribunal constituted under this Act is empowered by or under
this Act to determine and no injunction shall be granted by any
court or other authority in respect of any action taken or to be
taken in pursuance of any power conferred by or under this
Act.
62. Appeal to High Court.
Any person aggrieved by any decision or order of the Cyber
Appellate Tribunal may file an appeal to the High Court within
128 | P a g e
sixty days from the date of communication of the decision or

order of the Cyber Appellate Tribunal to him on any question of
fact or law arising out of such order:
Provided that the High Court may, if it is satisfied that the
appellant was prevented by sufficient cause from filing the
appeal within the said period, allow it to filed within a further
period not exceeding sixty days.
63. Compounding of contraventions.

(1) Any contravention under this Act94 may, either before or
after the institution of adjudication proceedings, be
compounded by the Controller or such other officer as may be
specially authorised by him in this behalf or by the adjudicating
officer, as the case may be, subject to such conditions as the
Controller or such other officer or the adjudicating officer may
specify:
Provided that such sum shall not, in any case, exceed the
maximum amount of the penalty which may be imposed under
this Act for the contravention so compounded.
(2) Nothing in sub-section (1) shall apply to a person who
commits the same or similar contravention within a period of
three years form the date on which the first contravention,
committed by him, was compounded.
Explanation.- For the purposes of this sub-section, any second
or subsequent contravention committed after the expiry of a
94
The word Chapter has been substituted by the word Act by Information
Technology (Removal of Difficulties) Order, 2002.
129 | P a g e
period of three years from the date on which the contravention

was previously compounded shall be deemed to be a first
contravention.
(3) Where any contravention has been compounded under
sub-section (I), no proceeding or further proceeding, as the
case may be, shall be taken against the person guilty of such
contravention in respect of the contravention so compounded.
64. Recovery of penalty or compensation.
A penalty imposed or compensation awarded95 under this Act,
if it is not paid shall be recovered as an arrear of land revenue
and the licence or the Electronic Signature96 Certificate, as the
case may be, shall be suspended till the penalty is paid.
CHAPTER XI
OFFENCES
65. Tampering with computer source documents.

Whoever knowingly or intentionally conceals, destroys or
alters or intentionally or knowingly causes another to conceal,
destroy or alter any computer source code used for a
95
The words or compensation awarded inserted by Information Technology
96

130 | P a g e
computer, computer programme, computer system or

computer network, when the computer source code is required
to be kept or maintained by law for the time being in force,
shall be punishable with imprisonment up to three years, or
with fine which may extend up to two lakh rupees, or with
both.
Explanation. - For the purposes of this section, "computer
source code" means the listing of programmes, compute
commands, design and layout and programme analysis of
computer resource in any form.
66. Computer related offences. 97

If any person, dishonestly or fraudulently, does any act
referred to in section 43, he shall be punishable with
imprisonment for a term which may extend to three years or
with fine which may extend to five lakh rupees or with both.
Explanation For the purposes of this section, (a) the word dishonestly shall have the meaning
assigned to it in section 24 of the Indian Penal Code;
(b) the word fraudulently shall have the meaning
assigned to it in section 25 of the Indian Penal Code.
97
Substituted by Information Technology (Amendment) Act, 2008 for (1)

Whoever with the intent of cause or knowing that is likely to cause wrongful loss
or damage to the public or any person destroys or deletes or alters any information
residing in a computer resource or diminishes its value or utility or affects it
injuriously by any means, commits hacking. (2) Whoever commits hacking shall
be punished with imprisonment up to three years, or with fine which may extend
up to two lakh rupees, or with both.
131 | P a g e
66A. Punishment for sending offensive messages through

communication service, etc98
Any person who sends, by means of a computer resource or a
communication device, (a) any information that is grossly offensive or has menacing
character; or
(b) any information which he knows to be false, but for the
purpose of causing annoyance, inconvenience, danger,
obstruction, insult, injury, criminal intimidation, enmity, hatred
or ill will, persistently by making use of such computer
resource or a communication device; or
(c) any electronic mail or electronic mail message for the
purpose of causing annoyance or inconvenience or to deceive
or to mislead the addressee or recipient about the origin of
such messages, shall be punishable with imprisonment for a
term which may extend to three years and with fine.
Explanation. For the purposes of this section, terms
electronic mail and electronic mail message means a
message or information created or transmitted or received on a
computer, computer system, computer resource or
communication device including attachments in text, image,
audio, video and any other electronic record, which may be
transmitted with the message.
66B. Punishment for dishonestly receiving
computer resource or communication device. 99
98
Inserted by Information Technology (Amendment) Act, 2008
99
132 | P a g e
stolen
Whoever dishonestly receives or retains any stolen computer

resource or communication device knowing or having reason
to believe the same to be stolen computer resource or
communication device, shall be punished with imprisonment of
either description for a term which may extend to three years
or with fine which may extend to rupees one lakh or with both.
66C. Punishment for identity theft. 100
Whoever, fraudulently or dishonestly make use of the
electronic signature, password or any other unique
identification feature of any other person, shall be punished
with imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may
extend to rupees one lakh.
66D. Punishment for cheating by personation by using
computer resource. 101
Whoever, by means of any communication device or computer
resource cheats by personation, shall be punished with
imprisonment of either description for a term which may
extend to three years and shall also be liable to fine which may
extend to one lakh rupees.
66E. Punishment for violation of privacy. 102
Whoever, intentionally or knowingly captures, publishes or
transmits the image of a private area of any person without his
100
101
102
133 | P a g e
or her consent, under circumstances violating the privacy of

that person, shall be punished with imprisonment which may
extend to three years or with fine not exceeding two lakh
rupees, or with both.
Explanation For the purposes of this section
(a) transmit means to electronically send a visual image with
the intent that it be viewed by a person or persons;
(b) capture, with respect to an image, means to videotape,
photograph, film or record by any means;
(c) private area means the naked or undergarment clad
genitals, public area, buttocks or female breast;
(d) publishes means reproduction in the printed or electronic
form and making it available for public;
(e) under circumstances violating privacy means
circumstances in which a person can have a reasonable
expectation that
(i) he or she could disrobe in privacy, without being
concerned that an image of his private area was being
captured; or
(ii) any part of his or her private area would not be
visible to the public, regardless of whether that person
is in a public or private place.
66F. Punishment for cyber terrorism103
103
134 | P a g e
(1) Whoever, (A) with intent to threaten the unity, integrity, security or
sovereignty of India or to strike terror in the people or any
section of the people by (i) denying or cause the denial of access to any person
authorised to access computer resource; or
(ii) attempting to penetrate or access a computer
resource without authorisation or exceeding
authorised access; or
(iii) introducing or causing to introduce any computer
contaminant,
and by means of such conduct causes or is likely to cause death
or injuries to persons or damage to or destruction of property
or disrupts or knowing that it is likely to cause damage or
disruption of supplies or services essential to the life of the
community or adversely affect the critical information
infrastructure specified under section 70; or
(B) knowingly or intentionally penetrates or accesses a
computer resource without authorisation or exceeding
authorised access, and by means of such conduct obtains access
to information, data or computer database that is restricted for
reasons of the security of the State or foreign relations; or any
restricted information, data or computer database, with
reasons to believe that such information, data or computer
database so obtained may be used to cause or likely to cause
injury to the interests of the sovereignty and integrity of India,
the security of the State, friendly relations with foreign States,
public order, decency or morality, or in relation to contempt of
135 | P a g e
court, defamation or incitement to an offence, or to the

advantage of any foreign nation, group of individuals or
otherwise, commits the offence of cyber terrorism.
(2) Whoever commits or conspires to commit cyber terrorism
shall be punishable with imprisonment which may extend to
imprisonment for life.
67. Punishment for publishing or transmitting obscene
material in electronic form104
Whoever publishes or transmits or causes to be published or
transmitted in the electronic form, any material which is
lascivious or appeals to the prurient interest or if its effect is
such as to tend to deprave and corrupt persons who are likely,
having regard to all relevant circumstances, to read, see or hear
the matter contained or embodied in it, shall be punished on
first conviction with imprisonment of either description for a
term which may extend to three years and with fine which may
extend to five lakh rupees and in the event of second or
subsequent conviction with imprisonment of either description
for a term which may extend to five years and also with fine
which may extend to ten lakh rupees.105
104
Also refer to the Order dated 27th February, 2003 [G.S.R. 181(E)] that
prescribes the procedure for blocking of websites.
105
Substituted by Information Technology (Amendment) Act, 2008 for Whoever

publishes or transmits or causes to be published in the electronic form, any
material which is lascivious or appeal to the prurient interest or if its effect is such
as to tend to deprave and corrupt persons who are likely, having regard to all
relevant circumstances, to read, see or hear the matter contained or embodied in it,
shall be punished on first conviction with imprisonment of either description for a
term which may extend to five years and with fine which may extend to one lakh
rupees and in the event of a second or subsequent conviction with imprisonment
136 | P a g e
67A. Punishment for publishing or transmitting of

material containing sexually explicit act, etc., in electronic
form. 106
Whoever publishes or transmits or causes to be published or
transmitted in the electronic form any material which contains
sexually explicit act or conduct shall be punished on first
conviction with imprisonment of either description for a term
which may extend to five years and with fine which may extend
to ten lakh rupees and in the event of second or subsequent
conviction with imprisonment of either description for a term
which may extend to seven years and also with fine which may
extend to ten lakh rupees.
67B. Punishment for publishing or transmitting of material
depicting children in sexually explicit act, etc., in electronic
form107
Whoever, (a) publishes or transmits or causes to be published or
transmitted material in any electronic form which depicts
children engaged in sexually explicit act or conduct; or
(b) creates text or digital images, collects, seeks, browses,
downloads, advertises, promotes, exchanges or distributes
material in any electronic form depicting children in obscene
or indecent or sexually explicit manner; or
of either description for a term which may extend to ten years and also with fine
which may extend to two lakh rupees.
106
107
137 | P a g e
(c) cultivates, entices or induces children to online relationship

with one or more children for and on sexually explicit act or in
a manner that may offend a reasonable adult on the computer
resource; or
(d) facilitates abusing children online; or
(e) records in any electronic form own abuse or that of others
pertaining to sexually explicit act with children,
shall be punished on first conviction with imprisonment of
either description for a term which may extend to five years
and with fine which may extend to ten lakh rupees and in the
event of second or subsequent conviction with imprisonment
of either description for a term which may extend to seven
years and also with fine which may extend to ten lakh rupees:
Provided that provisions of section 67, section 67A and this
section does not extend to any book, pamphlet, paper, writing,
drawing, painting representation or figure in electronic form
(i) the publication of which is proved to be justified as
being for the public good on the ground that such book,
pamphlet,
paper,
writing,
drawing,
painting
representation or figure is in the interest of science,
literature, art or learning or other objects of general
concern; or
(ii) which is kept or used for bona fide heritage or
religious purposes.
Explanation For the purposes of this section, children
means a person who has not completed the age of 18 years.
138 | P a g e
67C. Preservation and retention of information by

intermediaries108
(1) Intermediary shall preserve and retain such information as
may be specified for such duration and in such manner and
format as the Central Government may prescribe.
(2) Any intermediary who intentionally or knowingly
contravenes the provisions of sub-section (1) shall be punished
with an imprisonment for a term which may extend to three
years and shall also be liable to fine.
68. Power of the Controller to give directions.
(1) The Controller may, by order, direct a Certifying Authority
or any employee of such Authority to take such measures or
cease carrying on such activities as specified in the order if
those are necessary to ensure compliance with the provisions
of this Act, rules or any regulations made thereunder.
(2) Any person who intentionally or knowingly fails to comply
with any order under sub-section (1) shall be guilty of an
offence and shall be liable on conviction to imprisonment for a
term not exceeding two years or a fine not exceeding one lakh
rupees or with both.109
108
109
Substituted by Information Technology (Amendment) Act, 2008 for Any

person who fails to comply with any order under sub-section (1) shall be guilty of
an offence and shall be liable on conviction to imprisonment for a term not
exceeding three years or to a fine not exceeding two lakh rupees or to both.
139 | P a g e
69. Power to issue directions for interception or

monitoring or decryption of any information through any
computer resource.110
(1) Where the Central Government or a State Government or
any of its officers specially authorised by the Central
Government or the State Government, as the case may be, in
this behalf may, if satisfied that it is necessary or expedient so
to do, in the interest of the sovereignty or integrity of India,
defence of India, security of the State, friendly relations with
foreign States or public order or for preventing incitement to
the commission of any cognizable offence relating to above or
for investigation of any offence, it may be subject to the
provisions of sub-section (2), for reasons to be recorded in
writing, by order, direct any agency of the appropriate
Government to intercept, monitor or decrypt or cause to be
intercepted or monitored or decrypted any information
generated, transmitted, received or stored in any computer
resource.
(2) The procedure and safeguards subject to which such
interception or monitoring or decryption may be carried out,
shall be such as may be prescribed.
110

Directions of Controller to a subscriber to extend facilities to decrypt information.
(1) If the Controller is satisfied that it is necessary or expedient so to do in the
interest of the sovereignty or integrity of India, the security of the State, friendly
relations with foreign States or public order or for preventing incitement to the
commission of any cognizable offence, for reasons to be recorded in writing, by
order, direct any agency of the Government to intercept any information
transmitted through any computer resource. (2) The subscriber or any person in
charge of the computer resource shall, when called upon by any agency which has
been directed under sub-section (1), extend all facilities and technical assistance to
decrypt the information. (3) The subscriber or any person who fails to assist the
agency referred to in sub-section (2) shall be punished with an imprisonment for a
term which may extend to seven years.
140 | P a g e
(3) The subscriber or intermediary or any person in-charge of

the computer resource shall, when called upon by any agency
referred to in sub-section (1), extend all facilities and technical
assistance to
(a) provide access to or secure access to the computer
resource generating, transmitting, receiving or storing
such information; or
(b) intercept, monitor, or decrypt the information, as
the case may be; or
(c) provide information stored in computer resource.
(4) The subscriber or intermediary or any person who fails to
assist the agency referred to in sub-section (3) shall be
punished with imprisonment for a term which may extend to
seven years and shall also be liable to fine.
69A. Power to issue directions for blocking public access of
any information through any computer resource. 111
(1) Where the Central Government or any of its officers
specially authorised by it in this behalf is satisfied that it is
necessary or expedient so to do, in the interest of sovereignty
and integrity of India, defence of India, security of the State,
friendly relations with foreign States or public order or for
preventing incitement to the commission of any cognizable
offence relating to above, it may subject to the provisions of
sub-section (2), for reasons to be recorded in writing, by order,
direct any agency of the Government or intermediary to block
for access by the public or cause to be blocked for access by the
111
141 | P a g e
public any information generated, transmitted, received, stored

or hosted in any computer resource.
(2) The procedure and safeguards subject to which such
blocking for access by the public may be carried out, shall be
such as may be prescribed.
(3) The intermediary who fails to comply with the direction
issued under sub-section (1) shall be punished with an
imprisonment for a term which may extend to seven years and
shall also be liable to fine.
69B. Power to authorise to monitor and collect traffic data
or information through any computer resource for cyber
security112
(1) The Central Government may, to enhance cyber security
and for identification, analysis and prevention of intrusion or
spread of computer contaminant in the country, by notification
in the Official Gazette, authorise any agency of the Government
to monitor and collect traffic data or information generated,
transmitted, received or stored in any computer resource.
(2) The intermediary or any person in-charge or the computer
resource shall, when called upon by the agency which has been
authorised under sub-section (1), provide technical assistance
and extend all facilities to such agency to enable online access
or to secure and provide online access to the computer
resource generating, transmitting, receiving or storing such
traffic data or information.
112
142 | P a g e
(3) The procedure and safeguards for monitoring and

collecting traffic data or information, shall be such as may be
prescribed.
(4) Any intermediary who intentionally or knowingly
contravenes the provisions of sub-section (2) shall be punished
with an imprisonment for a term which any extend to three
years and shall also be liable to fine.
Explanation. For the purposes of this section, (i)
(ii)
computer contaminant shall have the meaning

assigned to it in section 43;
traffic data means any data identifying or
purporting to identify any person, computer system
or computer network or location to or from which
the communication is or may be transmitted and
includes communications origin, destination, route,
time, date, size, duration or type of underlying
service and any other information.
70. Protected system.(1) The appropriate Government may, by notification in the

Official Gazette, declare any computer resource which directly
or indirectly affects the facility of Critical Information
Infrastructure, to be a protected system. 113
113
Also refer to Executive Order dated 12th September, 2002 which states inter
alia that For the purpose of sub-section 1 of Section 70 of the Act, details of
every protected computer, computer system or computer network so notified by
appropriate government may be informed to the Controller of Certifying
Authorities, Department of Information Technology, 6 CGO Complex, New Delhi
for the purpose of records and exercising powers under the said Act.
143 | P a g e
Explanation. For the purposes of this section, Critical

Information Infrastructure means the computer resource, the
incapacitation or destruction of which, shall have debilitating
impact on national security, economy, public health or
safety;114
(2) The appropriate Government may, by order in writing,
authorise the persons who are authorised to access protected
systems notified under sub-section (1)
(3) Any person who secures access or attempts to secure
access to a protected system in contravention of the provisions
of this section shall be punished with imprisonment of either
description for a term which may extend to ten years and shall
also be liable to fine.
(4) The Central Government shall prescribe the information
security practices and procedures for such protected system.
115
70A. National Nodal Agency116

(1) The Central Government may, by notification published in
the Official Gazette, designate any organisation of the
Government as the national nodal agency in respect of Critical
Information Infrastructure Protection.
114
Substituted by Information Technology (Amendment) Act, 2008 for The

appropriate Government may, by notification in the Official Gazette, declare that
any computer, computer system or computer network to be a protected system.
115
116
144 | P a g e
(2) The national nodal agency designated under sub-section

(1) shall be responsible for all measures including Research
and Development relating to protection of Critical Information
Infrastructure.
(3) The manner of performing functions and duties of the
agency referred to in sub-section (1) shall be such as may be
prescribed.
70B. Indian Computer Emergency Response Team to serve
as national agency for incident response117
(1) The Central Government shall, by notification in the Official
Gazette, appoint an agency of the Government to be called the
Indian Computer Emergency Response Team.
(2) The Central Government shall provide the agency referred
to in sub-section (1) with a Director-General and such other
officers and employees as may be prescribed.
(3) The salary and allowances and terms and conditions of the
Director-General and other officers and employees shall be
such as may be prescribed.
(4) The Indian Computer Emergency Response Team shall
serve as the national agency for performing the following
functions in the area of cyber security,(a) collection, analysis and
information on cyber incidents;
dissemination
(b) forecast and alerts of cyber security incidents;
117
145 | P a g e
of
(c) emergency measures for handling cyber security

incidents;
(d) coordination of cyber incidents response activities;
(e) issue guidelines, advisories, vulnerability notes and
whitepapers relating to information security practices,
procedures, preventation, response and reporting of
cyber incidents;
(f) such other functions relating to cyber security as
may be prescribed.
(5) The manner of performing functions and duties of the
agency referred to in sub-section (1) shall be such as may be
prescribed.
(6) For carrying out the provisions of sub-section (4), the
agency referred to in sub-section (1) may call for information
and give direction to the service providers, intermediaries, data
centers, body corporate and any other person.
(7) Any service provider, intermediaries, data centers, body
corporate or person who fails to provide the information called
for or comply with the direction under sub-section (6), shall be
punishable with imprisonment for a term which may extend to
one year or with fine which may extend to one lakh rupees or
with both.
(8) No court shall take cognizance of any offence under this
section, except on a complaint made by an officer authorised in
this behalf by the agency referred to in sub-section (1).
71. Penalty for misrepresentation.146 | P a g e
Whoever makes any misrepresentation, to, or suppresses any

material fact from, the Controller or the Certifying Authority
for obtaining any licence or Electronic Signature118 Certificate,
as the case may be, shall be punished with imprisonment for a
terms which may extend to two years, or with fine which may
extend to one lakh rupees, or with both.
72. Breach of confidentiality and privacy.Save as otherwise provided in this Act or any other law for the
time being in force, if any person who, in pursuance of any of
the powers conferred under this Act, rules or regulations made
thereunder, has secured access to any electronic record, book,
register, correspondence, information, document or other
material without the consent of the person concerned discloses
such electronic record, book, register, correspondence,
information, document or other material to any other person
shall be punished with imprisonment for a term which may
extend to two years, or with fine which may extend to one lakh
72A. Punishment for disclosure of information in breach
of lawful contract119
Save as otherwise provided in this Act or any other law for the
time being in force, any person including an intermediary who,
while providing services under the terms of lawful contract,
has secured access to any material containing personal
information about another person, with the intent to cause or
118

119
147 | P a g e
knowing that he is likely to cause wrongful loss or wrongful

gain discloses, without the consent of the person concerned, or
in breach of a lawful contract, such material to any other
person, shall be punished with imprisonment for a term which
may extend to three years, or with fine which may extend to
five lakh rupees, or with both.
73. Penalty for publishing Electronic
Certificate false in certain particulars.
Signature120
(1) No person shall publish a Electronic Signature121 Certificate

or otherwise make it available to any other person with the
knowledge that(a) the Certifying Authority listed in the certificate has
not issued it; or
(b) the subscriber listed in the certificate has not
accepted it; or
(c) the certificate has been revoked or suspended,
unless such publication is for the purposes of verifying a digital
signature created prior to such suspension or revocation.
(2) Any person who contravenes the provisions of sub-section
(1) shall be punished with imprisonment for a term which may
extend to two years, or with fine which may extend to one lakh
120

121

148 | P a g e
74. Publication for fraudulent purpose.

Whoever knowingly creates, publishes or otherwise makes
available a Electronic Signature122 Certificate for any fraudulent
or unlawful purpose shall be punished with imprisonment for a
term which may extend to two years, or with fine which may
extend to one lakh rupees, or with both.
75. Act to apply for offence or contravention committed
outside India.
(1) Subject to the provision of sub-section (2), the provisions of
this Act shall apply also to any offence or contravention
committed outside India by any person irrespective of his
nationality.
(2) For the purposes of sub-section(1), this act shall apply to
an offence or contravention committed outside India by any
person if the act or conduct constituting the offence or
contravention involves a computer, computer system or
computer network located in India.
76. Confiscation.
Any computer, computer system, floppies, compact disks, tape
drives or any other accessories related thereto, in respect of
the if which any provision of this Act, rule, orders or
regulations made thereunder has been or is being contravened,
shall be liable to confiscation:
Provided that where it is established to the satisfaction of the
court adjudicating the confiscation that the person in whose
122

149 | P a g e
possession, power or control of any such computer, computer

system, floppies, compact disks, tape drives or any other
accessories relating thereto is found is not responsible for the
contravention of the provisions of this Act, rules, orders or
regulations made thereunder, the court may, instead of making
an order for confiscation of such computer, computer system,
floppies, compact disks, tape drives or any other accessories
related thereto, make such other order authorised by this Act
against the person contravening of the provisions of this Act,
rules, orders or regulations made thereunder as it may think
fit.
77. Compensation, penalties or confiscation not to
interfere with other punishment.123
No compensation awarded, penalty imposed or confiscation
made under this Act shall prevent the award of compensation
or imposition of any other penalty or punishment under any
other law for the time being in force.
77A. Compounding of offences124
A court of competent jurisdiction may compound offences,
other than offences for which the punishment for life or
imprisonment for a term exceeding three years has been
provided, under this Act:
123

Penalties or confiscation not to interfere with other punishments. No penalty
imposed or confiscation made under this Act shall prevent the imposition of any
other punishment to which the person affected thereby is liable under any other
law for the time being in force.
124
150 | P a g e
Provided that the court shall not compound such offence

where the accused is, by reason of his previous conviction,
liable to either enhanced punishment or to a punishment of a
different kind:
Provided further that the court shall not compound any offence
where such offence affects the socio economic conditions of the
country or has been committed against a child below the age of
18 years or a woman.
(2) The person accused of an offence under this Act may file an
application for compounding in the court in which offence is
pending for trial and the provisions of sections 265B and 265C
of the Code of Criminal Procedure, 1973 shall apply.
77B. Offences with three years imprisonment to be
bailable125
Notwithstanding anything contained in the Code of Criminal
Procedure, 1973, the offence punishable with imprisonment of
three years and above shall be cognizable and the offence
punishable with imprisonment of three years shall be bailable.
78. Power to investigate offence.
Notwithstanding anything contained in the Code of Criminal
Procedure, 1973 (2 of 1974), a police officer not below the rank
of Inspector126 shall investigate any offence under this Act.
125
126
The word Inspector substituted for the words Deputy Superintendent of

Police by Information Technology (Amendment) Act, 2008.
151 | P a g e
CHAPTER XII
INTERMEDIARIES NOT TO BE LIABLE IN CERTAIN CASES127
79. Exemption from liability of intermediary in certain
cases.
(1) Notwithstanding anything contained in any law for the time
being in force but subject to the provisions of sub-sections (2)
and (3), an intermediary shall not be liable for any third party
information, data, or communication-link made available or
hosted by him.
(2) The provisions of sub-section (1) shall apply if
(a) the function of the intermediary is limited to providing
access to a communication system over which information
made available by third parties is transmitted or temporarily
stored or hosted; or
(b) the intermediary does not
127
Substituted by Information Technology (Amendment) Act, 2008 for

NETWORK SERVICE PROVIDERS NOT TO BE LIABLE IN CERTAIN
CASES - 79. Network service providers not to be liable in certain cases. For the
removal of doubts, it is hereby declared that no person providing any service as a
network service provider shall be liable under this Act, rules or regulations made
thereunder for any third party information or data made available by him if he
proves that the offence or contravention was committed without his knowledge or
that he had exercised all due diligence to prevent the commission of such offence
for contravention. Explanation.- For the purposes of this section,- (a) "network
service provider" means an intermediary; (b) "third party information" means any
information dealt with by a network service provider in his capacity as an
intermediary;
Press note regarding diligence to be observed under Intermediary

Guidelines Rules were issued by the Government on 11 May 2011.
152 | P a g e
(i) initiate the transmission,

(ii) select the receiver of the transmission, and
(iii) select or modify the information contained in the
transmission;
(c) the intermediary observes due diligence while discharging
his duties under this Act and also observes such other
guidelines as the Central Government may prescribe in this
behalf.
(3) The provisions of sub-section (1) shall not apply if
(a) the intermediary has conspired or abetted or aided or
induced, whether by threats or promise or otherwise in the
commission of the unlawful act;
(b) upon receiving actual knowledge, or on being notified by
the appropriate Government or its agency that any
information, data or communication link residing in or
connected to a computer resource controlled by the
intermediary is being used to commit the unlawful act, the
intermediary fails to expeditiously remove or disable access to
that material on that resource without vitiating the evidence in
any manner.
Explanation For the purposes of this section, the expression
third party information means any information dealt with by
an intermediary in his capacity as an intermediary.
153 | P a g e
CHAPTER XIIA
EXAMINER OF ELECTRONIC EVIDENCE128
79A. Central Government to notify Examiner of Electronic

Evidence.
The Central Government may, for the purposes of providing
expert opinion on electronic form evidence before any court or
other authority specify, by notification in the Official Gazette,
any Department, body or agency of the Central Government or
a State Government as an Examiner of Electronic Evidence.
Explanation For the purposes of this section, electronic form
evidence means any information of probative value that is
either stored or transmitted in electronic form and includes
computer evidence, digital audio, digital video, cell phones,
digital fax machines..
CHAPTER XIII
MISCELLANEOUS
80. Power of police officer and other officers to enter,

search, etc.
128
154 | P a g e
(1) Notwithstanding anything contained in the Code of

Criminal Procedure, 1973 any police officer, not below the rank
of a Inspector129, or any other officer of the Central
Government or a State Government auithorised by the Central
Government in this behalf may enter any public place and
search and the Central Government in this behalf may enter
any public place and search and arrest without warrant any
person found therein who is reasonably suspected of having
committed or of committing or of being about to commit any
offence under this Act.
Explanation.- For the purposes of this sub-section, the
expression "public place" includes any public conveyance, any
hotel, any shop or any other place intended for use by, or
accessible to the public.
(2) Where any person is arrested under sub-section (1) by an
officer other than a police officer, such officer shall, without
unnecessary delay, take or sent the person arrested before a
magistrate having jurisdiction in the case or before the officerin-charge of a police station.
(3) The provisions of the Code of Criminal Procedure, 1973 (2
of 1974) shall, subject to the provisions of this section, apply,
so far as may be, in relation to any entry, search or arrest, made
under this section.
81. Act to have overriding effect.
The provisions of this Act shall have effect notwithstanding
anything consistent therewith contained in any other law for
the time being in force.
129
The word Inspector substituted for the words Deputy Superintendent of

Police by Information Technology (Amendment) Act, 2008.
155 | P a g e
Provided that nothing contained in this Act shall restrict any

person from exercising any right conferred under the
Copyright Act, 1957 or the Patents Act, 1970. 130
81A Application of the Act to electronic cheque and
truncated cheque131
(1) The provisions of this Act, for the time being in force, shall
apply to, or in relation to, electronic cheques and the truncated
cheques subject to such modifications and amendments as may
be necessary for carrying out the purposes of the Negotiable
Instruments Act, 1881 by the Central Government, in
consultation with the Reserve Bank of India, by notification in
the Official Gazette.
(2) Every notification made by the Central Government under
sub-section (1) shall be laid, as soon as may be after it is made,
before each House of Parliament, while it is in session, for a
total period of thirty days which may be comprised in one
session or in two or more successive sessions, and if, before the
expiry of the session immediately following the session or the
successive sessions aforesaid, both Houses agree in making any
modification in the notification or both Houses agree that the
notification should not be made, the notification shall
thereafter have effect only in such modified form or be of no
effect, as the case may be; so, however, that any such
modification or annulment shall be without prejudice to the
validity of anything previously done under that notification.
130
131
Inserted by Negotiable Instruments (Amendment and Miscellaneous

Provisions) Act, 2002
156 | P a g e
Explanation.- For the purposes of this Act, the expressions

"electronic cheque" and "truncated cheque" shall have the
same meaning as assigned to them in section 6 of the
Negotiable Instruments Act, 1881.
82. Chairperson, Members, Officers and employees to be
public servants.
The Chairperson, Members and other officers and employees of
a Cyber Appellate Tribunal, the Controller, the Deputy
Controller and the Assistant Controllers shall be deemed to be
public servants within the meaning of section 21 of the Indian
Penal Code (45 of 1860).
83. Power to give directions.The Central Government may give directions to any State
Government as to the carrying into execution in the State of
any of the provisions of this Act or of any rule, regulation or
order made thereunder.
84. Protection of action taken in good faith.
No suit, prosecution or other legal proceeding shall lie against
the Central Government, the State Government, the Controller
or any person acting on behalf of him, the Chairperson,
Members, adjudicating officers and the staff of the Cyber
Appellate Tribunal for anything which is in good faith done or
intended to be done in pursuance of this Act or any rule,
regulation or order made thereunder.
84A. Modes or methods for encryption132
132
157 | P a g e
The Central Government may, for secure use of the electronic

medium and for promotion of e-governance and e-commerce,
prescribe the modes or methods for encryption.
84B. Punishment for abetment of offences133
Whoever abets any offence shall, if the act abetted is committed
in consequence of the abetment, and no express provision is
made by this Act for the punishment of such abetment, be
punished with the punishment provided for the offence under
this Act.
Explanation.- An act or offence is said to be committed in
consequence of abetment, when it is committed in consequence
of the instigation, or in pursuance of the conspiracy, or with the
aid which constitutes the abetment.
84C. Punishment for attempt to commit offences134
Whoever attempts to commit an offence punishable by this Act
or causes such an offence to be committed, and in such an
attempt does any act towards the commission of the offence,
shall, where no express provision is made for the punishment
of such attempt, be punished with imprisonment of any
description provided for the offence, for a term which may
extend to one-half of the longest term of imprisonment
provided for that offence, or with such fine as is provided for
the offence, or with both..
85. Offences by companies.
133
134
158 | P a g e
(1) Where a person committing a contravention of any of the

provisions of this Act or of any rule, direction or order made
thereunder is a company, every person who, at the time the
contravention was committed, was in charge of, and was
responsible to, the company for the conduct of business of the
company as well as the company, shall be guilty of the
contravention and shall be liable to be proceeded against and
punished accordingly:
Provided that nothing contained in this sub-section shall
render any such person liable to punishment if he proves that
the contravention took place without his knowledge or that he
exercised all due diligence to prevent such contravention.
(2) Notwithstanding anything contained in sub-section (1),
where a contravention of any of the provisions of this Act or of
any rule, direction or order made thereunder has been
committed by a company and it is proved that the
contravention has taken place with the consent or connivance
of, or is attributable to any neglect on the part of, any director,
manager, secretary or other officer of the company, such
director, manager, secretary or other officer shall also be
deemed to be guilty of the contravention and shall be liable to
be proceeded against and punished accordingly.
Explanation.- For the purposes of this section,(i) "company" means and body corporate and includes
a firm or other association of individuals; and
(ii) "directors", in relation to a firm, means a partner in
the firm.
86. Removal of difficulties.
159 | P a g e
(1) If any difficulty arises in giving effect to the provisions of

this Act, the Central Government may, by order published in
the Official Gazette, make such provisions not inconsistent with
the provisions of this Act as appear to it to be necessary or
expedient for removing the difficulty;
Provide that no order shall be made under this section after the
expiry of a period of two years from the commencement of this
Act.
(2) Every order made under this section shall be laid, as soon
as may be after it is made, before each House of Parliament.
87. Power of Central Government to make rules135.
Gazette and in the Electronic Gazette, make rules to carry out
the provisions of this Act.
135
Refer to Information Technology (Qualification and Experience of

Adjudicating Officers and Manner of Holding Enquiry) Rules, 2003 dated 17th
March 2003.
Also refer to Information Technology (Certifying Authorities) Rules, 2000 dated
17th October 2000 as amended by Information Technology (Certifying
Authorities) (Amendment) Rules, 2003 and Notification [No 11(7)/2003-CCA]
dated 23rd April 2004 and Information Technology (Certifying Authorities)
(Amendment) Rules, 2005.
Also refer to Cyber Regulations Appellate Tribunal (Procedure) Rules, 2000
Also refer to Cyber Regulations Appellate Tribunal (Salary, Allowances and other
terms and conditions of service of Presiding Officer) Rules, 2003
Also refer to Information Technology (Security Procedure) Rules 2004
Also refer to Information Technology (Qualification and Experience of
Adjudicating Officers and Manner of Holding Enquiry) Rules, 2003.
160 | P a g e
(2) In particular, and without prejudice to the generality of the

foregoing power, such rules may provide for all or any of the
following matter, namely:(a) the conditions for considering reliability of
electronic signature or electronic authentication
technique under sub-section (2) of section 3A;136
(aa) the procedure for ascertaining electronic signature
or authentication under sub-section (3) of section 3A;
137
(ab) the manner in which any information or matter

may be authenticated by means of electronic signature
under section 5; 138
(b) the electronic form in which filing, issue, grant or
payment shall be effected under sub-section (1) of
section 6
(c) the manner and format in which electronic records
shall be filed, or issued and the method of payment
under sub-section (2) of section 6;
136
Substituted by Information Technology (Amendment) Act, 2008 for (a) the

manner in which any information or matter may be authenticated by means of
digital signature under section 5;
137
138
161 | P a g e
(ca) the manner in which the authorised service

provider may collect, retain and appropriate service
charges under sub-section (2) of section 6A; 139
(d) the matters relating to the type of electronic
signature140, manner and format in which it may be
affixed under section 10;
(e) the manner of storing and affixing electronic
signature creation data under section 15;141
(ea) the security procedures and practices under
section 16; 142
(f) the qualifications, experience and terms and
conditions of service of Controller, Deputy Controllers,
Assistant Controllers, other officers and employees143
under section 17;
139
140

141
Substituted by Information Technology (Amendment) Act, 2008 for (e) the

security procedure for the purpose of creating secure electronic record and secure
digital signature under section 16;
142
143
The words , Assistant Controllers, other officers and employees substituted

for and Assistant Controllers by Information Technology (Amendment) Act,
2008.
162 | P a g e
(g) omitted by Information Technology (Amendment)

Act, 2008144
(h) the requirements which an applicant must fulfill
under sub-section (2) of section 21;
(i) the period of validity of licence granted under clause
(a) of sub-section (3) of section 21;
(j) the form in which an application for licence may be
made under sub-section (1) of Section 22;
(k) the amount of fees payable under clause (c) of subsection (2) of section 22;
(l) such other documents which shall accompany an
application for licence under clause (d) of sub-section
(2) of section 22;
(m) the form and the fee for renewal of a licence and
the fee payable thereof under section 23;
(ma) the form of application and fee for issue of
Electronic Signature Certificate under section 35; 145
(n) the form in which application for issue of a
Electronic Signature146 Certificate my be made under
sub-section (1) of section35;
144
(g) other standards to be observed by the Controller under clause (b) of subsection (2) of section 20;
145
146

163 | P a g e
(o) the fee to be paid to the Certifying Authority for

issue of a Electronic Signature147 Certificate under subsection (2) of section 35;
(oa) the duties of subscribers under section 40A; 148
(ob) the reasonable security practices and procedures
and sensitive personal data or information under
section 43A; 149
(p) the manner in which the adjudicating officer shall
hold inquiry under sub-section (1) of section 46;
(q) the qualification and experience which the
adjudicating officer shall possess under sub-section (2)
of section 46;
(r) the salary, allowances and the other terms and
conditions of service of the Chairperson and
Members150 under section 52;
(s) the procedure for investigation of misbehaviour or
incapacity of the Chairperson and Members 151 under
sub-section (3) of section 54;
147

148
149
150
The words Chairperson and Members substituted for Presiding Officer by

164 | P a g e
(t) the salary and allowances and other conditions of

service of other officers and employees under subsection (3) of section 56;
(u) the form in which appeal may be filed and the fee
thereof under sub-section (3) of section 57;
(v) any other power of a civil court required to be
prescribed under clause (g) of sub-section (2) of
section 58; and
(w) the powers and functions of the Chairperson of the
Cyber Appellate Tribunal under section 52A;152
(x) the information, duration, manner and form of such
information to be retained and preserved under section
67C; 153
(y) the procedures and safeguards for interception,
monitoring, or decryption under sub-section (2) of
section 69; 154
(z) the procedure and safeguard for blocking for access
by the public under sub-section (2) of section 69A; 155
151
The words Chairperson and Members substituted for Presiding Officer by

152
Substituted by Information Technology (Amendment) Act, 2008 for (w) any

other matter which is required to be, or may be, prescribed.
153
154
155
165 | P a g e
(za) the procedure and safeguards for monitoring and

collecting traffic data or information under sub-section
(3) of section 69B; 156
(zb) the information security practices and procedures
for protected system under section 70; 157
(zc) manner of performing functions and duties of the
agency under sub-section (3) of section 70A; 158
(z) the officers and employees under sub-section (2) of
section 70B; 159
(ze) salaries and allowances and terms and conditions
of service of the Director General and other officers and
employees under sub-section (3) of section 70B; 160
(zf) the manner in which the functions and duties of
agency shall be performed under sub-section (5) of
section 70B; 161
(zg) the guidelines to be observed by the
intermediaries under sub-section (2) of section 79; 162
156
157
158
159
160
161
166 | P a g e
(zh) the modes or methods for encryption under

section 84A; 163
(3) Every notification made by the Central Government under
sub-section (1) of section 70A and every rule made by it 164
shall be laid, as soon as may be after it is made, before each
House of Parliament , while it is in session, for a total period of
thirty days which may be comprised in one session or in two or
more successive sessions, and if, before the expiry of the
session immediately following the session or the successive
sessions aforesaid, both Houses agree in making any
modification in 165 the rule or both Houses agree that 166 the
rule should not be made, 167 the rule shall thereafter have effect
only in such modified form or be of no effect, as the case may
be, so, however, that any such modification or annulment shall
be without prejudice to the validity of anything previously
done under that notification or rule.
162
163
164
The words Every notification made by the Central Government under subsection (1) of section 70A and every rule made by it substituted by Information
Technology (Amendment) Act, 2008 for Every notification made by the Central
Government under clause (f) of sub-section (4) of section 1 and every rule made
by it.
165
The words the notification or omitted by Information Technology

166

167

167 | P a g e
88. Constitution of Advisory Committee.

(1) The Central Government shall, as soon as may be after the
commencement of this Act, constitute a Committee called the
Cyber Regulations Advisory Committee.
(2) The Cyber Regulations Advisory Committee shall consist of
a Chairperson and such number of other official and nonofficial members representing the interests principally affected
or having special knowledge of the subject-matter as the
Central Government may deem fit.
(3) The Cyber Regulations Advisory Committee shall advise(a) the Central Government either generally as regards
any rules or for any other purpose connected with this
Act;
(b) the controller in framing the regulation under this
Act.
(4) There shall be paid to the non-official members of such
Committee such traveling and other allowances as the Central
Government may fix.
89. Power of Controller to make regulations168.
(1) The Controller may, after consultation with the Cyber
Regulations Advisory Committee and with the previous
approval of the Central Government, by notification in the
Official Gazette, make regulations consistent with this Act and
the rules made thereunder to carry out the purposes of this Act.
168
Refer INFORMATION TECHNOLOGY (CERTIFYING AUTHORITY)

REGULATIONS, 2001 issued by Controller of Certifying Authorities on 9th July
2001 [G.S.R. 512 (E)]
168 | P a g e

foregoing power, such regulations may provide for all or any of
the following matters, namely:(a) the particulars relating to maintenance of data-base
containing the disclosure record of every Certifying
Authority under clause (n) of section 18;
(b) the conditions and restrictions subject to which the
Controller may recognise any foreign Certifying
Authority under sub-section (1) of section 19;
(c) the terms and conditions subject to which a licence
may be granted under clause (c) of sub-section (3) of
section 21;
(d) other standards to be observed by a Certifying
Authority under clause (d) of section 30;
(e) the manner in which the Certifying shall disclose the
matters specified in sub-section (1) of section 34;
(f) the particulars of statement which shall accompany
an application under sub-section (3) of section 35;
(g) the manner by which the subscriber shall

communicate the compromise of private key to the
certifying Authority under sub-section (2) of section 42.
(3) Every regulations made under this Act shall be laid, as soon
as may be after it is made, before each House of Parliament,
while it is in session, for a total period of thirty days which may
be comprised in one session or in two or more successive
169 | P a g e
sessions, and if, before the expiry of the session immediately

following the session or the successive sessions aforesaid, both
Houses agree in making any modification in the regulation or
both Houses agree that the regulation should not be made, the
regulation shall thereafter have effect only in such modified
form or be of no effect, as the case may be; so, however, that
any such modification or annulment shall be without prejudice
to the validity of anything previously done under that
regulation.
90. Power of State Government to make rules.
(1) The State Government may, by notification in the Official
Gazette, make rules to carry out the provisions of this Act.
foregoing power, such rules may provide for all or any of the
following matters, namely:(a) the electronic form in which filing, issue, grant,
receipt or payment shall be effected under sub-section
(1) of section 6;
(b) for matters specified in sub-section (2) of section 6;
(c) omitted by Information Technology (Amendment)
Act, 2008. 169
(3) Every rule made by the State Government under this
section shall be laid, as soon as may be after it is made, before
each House of the State Legislature where it consists of two
169
(c) any other matter which is required to be provided by rules by the State
Government.
170 | P a g e
Houses, or where such Legislature consists of one House,

before that House.
91. omitted by Information Technology (Amendment) Act,
2008.170
2008171
2008172
2008173
FIRST SCHEDULE174
[See sub-section (4) of section 1]
170
Amendment of Act 45 of 1860.- The Indian Penal Code shall be

amended in the manner specified in the First Schedule to this Act.
171
Amendment of Act 1 of 1872. The Indian Evidence Act, 1872 shall

be amended in the manner specified in the Second Schedule to this Act.
172
Amendment of Act 18 of 1891.- The Bankers Books Evidence Act,

1891 shall be amended in the manner specified in the Third Schedule to
this Act.
173
Amendment of Act 2 of 1934.- The Reserve Bank of India Act, 1934

shall be amended in the manner specified in the Fourth Schedule to this
Act.
174
171 | P a g e
DOCUMENTS OR TRANSACTIONS TO WHICH THE ACT SHALL

NOT APPLY
SL No
Description of documents or transactions
1.
A negotiable instrument (other than a cheque)

as defined in section 13 of the Negotiable
Instruments Act, 1881.
2.
A power-of-attorney as defined in section 1A of

the Powers-of-Attorney Act, 1882.
3.
A trust as defined in section 3 of the Indian

Trusts Act, 1882.
4.
A will as defined in clause (h) of section 2 of the

Indian Succession Act, 1925, including any
other testamentary disposition by whatever
name called.
5.
Any contract for the sale or conveyance of

immovable property or any interest in such
property.
THE SECOND SCHEDULE175
[See sub-section (1) of section 3 A]
175
172 | P a g e
ELECTRONIC SIGNATURE OR ELECTRONIC AUTHENTIATION

TECHNIQUE AND PROCEDURE
Sl. No.
(1)
173 | P a g e
Description
(2)
Procedure
(3)
SIX
6.About the author
Rohas Nagpal
Rohas Nagpal is a lawyer by qualification, a cyber crime
investigator by profession, a hacker at heart and a programmer
by passion.
174 | P a g e
He advises corporates, law firms, Governments and law

enforcement agencies on issues relating to technology law,
cyber crime investigation, information warfare and cyber
terrorism.
He has assisted the Government of India in drafting rules and
regulations under the Information Technology Act. He is an
active public speaker on technology issues and has addressed
thousands of students, law enforcement personnel, lawyers
and other professionals around the world.
Rohas conducts training programs in technology law and cyber
crime investigation and has authored several books, papers
and articles on these topics.
He has authored several books in digital forensic investigation,
technology law and financial law. One of his publications, the
Cyber Crime Investigation Manual, has been referred to as a
bible for cyber crime investigators by Times of India the
worlds largest selling English newspaper. He is also the author
of the first ever Commentary on the Information Technology
Act.
Papers authored by him include Internet Time Theft & the
Indian Law (Bangalore, 2001), Legislative Approach to Digital
Signatures (Ecuador, 2001), Indian Legal position on Cyber
Terrorism, Encryption and preventive measures (on behalf of the
Karnataka Police for Otto Schily, Interior Minister, Federal
Republic of Germany), Defining Cyber Terrorism (Nagpur,
2002), The mathematics of terror (Nagpur, 2002) and Cyber
Terrorism A Global Perspective (Spain, 2002).
175 | P a g e
He has also co-authored an Internet Draft titled Biometric based

Digital Signature scheme, which proposes a method of using
biometrics to generate keys for use in digital signature creation
and verification.
He was part of the team that developed the worlds smallest
cyber crime investigation device, pCHIP a Portable Mega
Investigation & Forensic Solution. This device is capable of
capturing volatile evidence from a live computer, has an easy to
use interface, and provides detailed reports.
He is the founder of CyberAttack, an open community working
for cyber security. He also maintains www.bugs.ms, a
specialized search engine that tracks bugs and vulnerabilities
in Microsoft products. He is also the founder of the
proudIndian.me project.
He is a member of Information Systems Audit and Control
Association (ISACA), International Association for Cryptologic
Research (IACR), and a Sustaining Member of the Internet
Society (ISOC), which is the organizational home of the Internet
Engineering Task Force (IETF), the Internet Architecture Board
(IAB), the Internet Engineering Steering Group (IESG), and the
Internet Research Task Force (IRTF) - the standards setting
and research arms of the Internet community.
In 1999, Rohas Nagpal co-founded Cyber Tribe which today is
comprised of 11 organizations - Asian School of Cyber Laws,
TechJuris Law Consultants, ASCL Law School, Data64 Techno
Solutions Pvt. Ltd., Republic of Cyberia, Association of Digital
Forensic Investigators, Security Standards and Controls
Development Organization, Corporate Crime Control
176 | P a g e
Organization, Lexcode Regulatory Compliance Technologies

Pvt. Ltd., Data64 Technologies Pvt. Ltd. and Data64 Cyber
Solutions Pvt. Ltd.
177 | P a g e
Contact us
Pune
6th Floor, Pride Senate,
Behind Sigma House,
Senapati Bapat Road,
Pune - 411016
Mumbai
7 Vaswani Mansions,
Opp. H.R. College,
Dinshaw Wachha Road,
Churchgate,
Mumbai - 400020
Delhi (Liaison Office)
Data64 Techno Solutions Pvt. Ltd.
15th Floor,
EROS Corporate Tower,
Nehru Place,
New Delhi - 110019
www.asianlaws.org
Contact Numbers
(020) 25667148
(020) 40033365
(020) 65206029
Contact Numbers
9594996366
9594996363
9594996364
(022) 22814502
(022) 22814503
(022) 66300223
Contact Numbers
09212227459
08800677554
08800644557
www.data64.in
Report on 12 years of the

17th October, 2012
Rohas Nagpal
Asian School of Cyber Laws

Report On 12 Years of The Information Technology Act

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Report On 12 Years of The Information Technology Act

Hochgeladen von

Copyright:

Verfügbare Formate

Report on 12 years of the

Information Technology Act

This document may be reproduced and distributed freely

Follow Asian School of Cyber Laws on facebook:

Published in 2012 by Asian School of Cyber Laws.

The chosen case scenarios are for instructional purposes

Reference herein to any specific commercial products,

1. Chronological Development of Indian Cyber Law ...................... 7

3. Important Case Law under Information Technology Act ..... 48

1. Chronological Development of Indian Cyber Law

Information Technology (Certifying Authority)

1. Executive Order issued

2. Guidelines for submission of certificates and

1. Information Technology (Qualification and

1. Information Technology (Use of Electronic Records

3. The Information Technology (Certifying Authorities)

The Information Technology (Certifying Authorities)

1. The Information Technology (Amendment) Act, 2008

1. Information Technology (Reasonable security

2. Information Technology (Intermediaries guidelines)

In case of bank records, the provisions of the Bankers Book

application for license to operate as a Certifying Authority

unauthorized copying of data, spread of viruses, denial of

The Cyber Regulations Appellate Tribunal (Salary, Allowances

The Information Technology (Certifying Authorities) Rules, 2000

(5) Cyber Appellate Tribunal (Procedure for Investigation of

2. Real World Cases

1. Social networking sites related cases

After 27 October, 2009

Section 67 of the Information Sections 66A and 67 of the

After 27 October, 2009

Section 153A & 153B of Section 66A of the Information

After 27 October, 2009

Section 500 of Indian Penal Section 66A of the Information

2. Email Account Hacking

After 27 October, 2009

Sections 43 and 66 of the Sections 43, 66, 66A and 66C

After 27 October, 2009

Sections 43 and 66 of the Sections 43, 66, 66A & 66C of

After 27 October, 2009

3. Credit Card Fraud

After 27 October, 2009

Sections 43 and 66 of the

Sections 43, 66, 66C, 66D of the

4. Online Share Trading Fraud

After 27 October, 2009

Sections 43 and 66 of the

Sections 43, 66, 66C & 66D of

After 27 October, 2009

Sections 43 and 66 of the

Sections 43, 66, 66C & 66D of

5. Tax Evasion and Money Laundering

After 27 October, 2009

Information Technology Act

Information Technology Act

After 27 October, 2009

Information Technology Act

Information Technology Act

6. Source Code Theft

After 27 October, 2009

Sections 43, 65 & 66 of the

Sections 43, 65, 66 & 66B of

After 27 October, 2009