Information

Technology Act, 2000

• In 1996, the United Nations Commission on International Trade Law
(UNCITRAL) adopted the model law on electronic commerce (e-commerce)
to bring uniformity in the law in different countries.
• Further, the General Assembly of the United Nations recommended that all
countries must consider this model law before making changes to their own
laws. India became the 12th country to enable cyber law after it passed the
Information Technology Act, 2000.
•
• While the first draft was created by the Ministry of Commerce, Government
of India as the ECommerce Act, 1998, it was redrafted as the ‘Information
Technology Bill, 1999’, and passed in May 2000.
• “An Act to provide legal recognition for transactions carried out by means of
electronic data interchange and other means of electronic communication,
commonly referred to as “electronic commerce” which involve the use of
alternatives to paper-based methods of communication and storage of
information, to facilitate electronic filing of documents with the
Government agencies and further to amend the Indian Penal Code, the
Indian Evidence Act, 1872, the Bankers' Books Evidence Act, 1891 and the
Reserve Bank of India Act, 1934 and for matters connected therewith or
incidental thereto”.
• IT Act, 2000 focuses on three main highlights:
• a. Providing legal recognition to the transactions which are carried out
through electronic means or use of Internet.
• b. Empowering the government departments to accept filing, creating and
retention of official documents in the digital format and
• c. To amend outdated laws and provide ways to deal with cybercrimes.
 Objectives of the Act

• Grant legal recognition to all transactions done via an electronic exchange of data
or other electronic means of communication or e-commerce, in place of the earlier
paper-based method of communication.
• Give legal recognition to digital signatures for the authentication of any information
or matters requiring legal authentication
• To give more power to IPO, RBI and Indian Evidence act for restricting electronic
crime.
• Facilitate the electronic filing of documents with Government agencies and also
departments
• Facilitate the electronic storage of data
• Give legal sanction and also facilitate the electronic transfer of funds
between banks and financial institutions
• Grant legal recognition to bankers under the Evidence Act, 1891 and the
Reserve Bank of India Act, 1934, for keeping the books of accounts in
electronic form.
 2. Scope of IT Act:
• According to Section 1 (2), the Act extends to the entire country, which also includes Jammu and Kashmir.
• Further, it does not take citizenship into account and provides extra-territorial jurisdiction.
• Section 1 (2) along with Section 75, specifies that the Act is applicable to any offense or contravention committed
outside India as well.
• If the conduct of person constituting the offense involves a computer or a computerized system or network located in
India, then irrespective of his/her nationality, the person is punishable under the Act.
• Lack of international cooperation is the only limitation of this provision.
• The act shall apply to
• a. Processing of personal data or partly by automatic means, and
• b. Other processing of personal data which form part of or are intended to form part of personal data filing system.
• This act shall not apply to the following:
• Information technology Act 2000 is not applicable on the attestation for creating trust via
electronic way. Physical attestation is must.
• Execution of Negotiable Instrument under Negotiable Instruments Act, 1881, except
cheques.
• Execution of a Power of Attorney under the Powers of Attorney Act, 1882.
• Creation of Trust under Indian Trust Act, 1882.
• Execution of a Will under the Indian Succession Act, 1925 including any other testamentary
disposition
by whatever name called.
• Entering into a contract for the sale of conveyance of immovable property or any interest in
such property.
• Any such class of documents or transactions as may be notified by the Central Government in
the Gazette.
 3. Impact of IT Act
• From the perspective of ecommerce in India, the IT Act 2000 and its
provisions contain many positive aspects.
• a. Firstly, the implication of these provisions for the e-businesses is that
email is now a valid and legal form of communication in our country
that can be duly produced and approved in a court of law.
• b. Companies are now able to carry out electronic commerce using the legal
infrastructure provided by the Act.
• c. Digital signatures have been given legal validity and sanction in the Act.
• d. The Act opens the doors for the entry of corporate companies in the
business of being Certifying Authorities for issuing Digital Signature
Certificates.
• e. The Act now allows Government to issue notification on the web thus
heralding egovernance.
• f. The Act enables the companies to file any form, application or any other
document with any office, authority, body or agency owned or controlled by
the appropriate Government in electronic form by means of such electronic
form as may be prescribed by the appropriate Government.
• g. The IT Act also addresses the important issues of security, which are
critical to the success of electronic transactions.
• The Act has given a legal definition to the concept of secure digital
signatures that would be required to be passed through a system of a security
procedure, as stipulated by the Government at a later date.
• Under the IT Act, 2000, it is possible for corporate to have a statutory
remedy in case if anyone breaks into their computer systems or network and
causes damages or copies data.
• The remedy provided by the Act is in the form of monetary damages, not
exceeding Rs. 1 crore.
 Characteristics of the Information
Technology Act, 2000

• All electronic contracts made through secure electronic channels are

legally valid.
• Legal recognition for digital signatures.
• Security measures for electronic records and also digital signatures are in
place
• A procedure for the appointment of adjudicating officers for holding
inquiries under the Act is finalized
• Provision for establishing a Cyber Regulatory Appellant Tribunal under
the Act. Further, this tribunal will handle all appeals made against the order
of the Controller or Adjudicating Officer.
• An appeal against the order of the Cyber Appellant Tribunal is possible
only in the High Court
• Digital Signatures will use an asymmetric cryptosystem and also a hash
function
• Provision for the appointment of the Controller of Certifying Authorities
(CCA) to license and regulate the working of Certifying Authorities.
The Controller to act as a repository of all digital signatures.
• The Act applies to offenses or contraventions committed outside India
• Senior police officers and other officers can enter any public place and
search and arrest without warrant
• Provisions for the constitution of a Cyber Regulations Advisory
Committee to advise the Central Government and Controller.
 IT ACT AMENDMENT 2008
• Exponential growth of technology gave new ways and means to cybercrimes.
To counter this growing cyber threats in 2008, the act was amended. Wide
ranging crimes were incorporated in this amendment of the act with the
provision of financial penalties as well as punishment varying from a three-
year jail term to life sentence. This amendment came into force on 29th
October, 2009. Broadly IT Act Amendment 2008 has covered following
aspects:
• 1. Liability of Body Corporate towards sensitive personal data:
• Body corporate means any company and includes a firm, sole proprietorship
or other association of individuals engaged in commercial or professional
activities.
• Any Body corporate dealing in sensitive personal data or information in a
computer resource and lacking in providing sufficient security and
control practices to safeguard the data has been made liable under Section
43A to pay damages to the affected party.
2. Identity Theft:
• Under section 63 C, Fraudulent/dishonest act by misuse of electronic signature,
password or any other unique identification feature of a person is punishable.
3. Spamming and Phishing:
• Explicitly no specific law exists against spamming and phishing but it appears that this
aspect has been covered under section 66A.
• It says that sending messages of offensive nature or criminally intimidating through
communication service has become punishable with imprisonment for a term which
may extend upto three years or with fine.
4. Introduction of virus, manipulating accounts, denial of services etc
made punishable [3]:
• Section 66 has been amended to include offences punishable as per section
43 which has also been amended to include offences as listed above;
punishment may lead to imprisonment which may extend to three years
or with fine which may extend to five lakh rupees or with both.
• 5. Cheating and Stealing of computer resource or communication
device: Punishment for stealing or retaining of any stolen computer
resource or communication device has been covered under section 66B.
Section 66D makes “cheat by personation” by means of any
„communication device‟ or 'computer resource' an offence.
• 6. Cyber Terrorism:
• An intent to threaten the unity, integrity, security or sovereignty of
India contributes to cyber terrorism. Section 66D deals with punishment for
acts like denial of services, unauthorized access etc related to cyber
terrorism.
• 7. Child pornography:
• Section 67B lays Punishment for publishing, transmitting, browsing of
material depicting children in sexually explicit act, etc. in electronic form.
• 8. Intermediary’s liability:
• Intermediary means any person who on another person‟s behalf receives,
stores or transmits the message or provides any service with respect to that
message.
• Sections 67C states that intermediaries should preserve and retain
information in the format and for the period given by Central Government
• 9. Surveillance, Interception and Monitoring:
• Section 69 empowers the government to issue directions for interception
or monitoring or decryption of any information through any computer
resource.
• 10. Cognizance of cases and investigation of offences:
• All cases which entail punishment of three years or more have been
made cognizable. In Act 2000, section 78 defines that investigation of
offences is to be done only by Deputy Superintendent of police.
• In its amendment, Inspectors have been included as investigating officers
which is more feasible.
• 11. Security procedures and Practices: Section 16 empowersCentral
Government to prescribe security procedure in respect of secure electronic
records and secure digital signatures.
• 12. Indian Computer Emergency Response Team: On 27th October,
2009 CERT was appointed as national agency for performing functions in
the area of cyber security.
 LIMITATIONS OF IT ACT
• 1. Spamming:
• Spam is an un-wanted e-mail message which is the electronic version of junk mail that is
delivered by the postal service [14]. Emails‟ recipients don‟t have any existing business or
personal relationship with the initiator. Such Unsolicited Bulk Email (“UBE”) or Unsolicited
Commercial Email (“UCE”) is not sent at the request or with the consent of the
recipient.
• There is no dedicated anti-spam law in India which imposes strict regulations for UCE/UBE.
• According to 2008 amendment, any email communication that causes annoyance or
inconvenience or is sent to deceive or to mislead the recipient about the origin ofsuch a message,
is punishable. Therefore the very act of sending such UCEs is not illegal, but if the content is
objectionable, then it is an Internet crime under the Indian law [16].
• 2. Integrity of customer transactions:
• Integrity of data means unimpaired data while maintaining the accuracy and consistency of data.
• It is different from data confidentiality or denial of service.
• Modification of data by malicious programs or users can often cause more serious
problems than confidentiality of data.
• IT Act 2000, Section 43 provides law for unauthorized access but nothing has been said for any
measure about the integrity of transaction by a bank.
• Guideline to maintain integrity of transaction exists but there is no specific law.
• Moreover, it is not considered as a criminal offence.
• 3. Pornography:
• IT Act 2000 prohibits publishing of information which is obscene but there
has not been any considerations or law on the viewing of such kind of
information. Section 67 B of Amendment 2008, makes browsing of child
pornography only punishable.
• Nothing has been mentioned regarding browsing of adult pornography. But
in UK possession of "extreme pornographic images" is an offence under
Section 63 of the Criminal Justice and Immigration Act 2008 [17].
• 4. Phishing
• Phishing is a criminally fraudulent process of attempting to acquire
sensitive information such as usernames, passwords and credit card
details, by masquerading as a trustworthy entity in an electronic
communication Thus it allows law enforcement officials to fight phishing
scams, by creating an oppo[18].In the Parliament while discussing the
“Objects and Reasons of ITAA-2006” for the bill passed in 2008,phishing
was part of the statement. But till date there is no provision specifically
against phishing.
 Cyber Crime’s scenario in India(A Few
Case study)

• a) The Bank NSP Case

• In this case a management trainee of a bank got engaged to a marriage. The couple
used to exchange many emails using the company’s computers. After some time
they had broken up their marriage and the young lady created some fake email ids
such as “Indian bar associations” and sent mails to the boy‘s foreign clients. She
used the banks computer to do this. The boy‘s company lost a huge number of
clients and took the bank to court. The bank was held liable for the emails sent
using the bank‘s system.
• b) Bazee.com case
• In December 2004 the Chief Executive Officer of Bazee.com was arrested
because he was selling a compact disk (CD) with offensive material on the
website, and even CD was also conjointly sold-out in the market of Delhi.
The Delhi police and therefore the Mumbai Police got into action and later
the CEO was free on bail.
• c) Parliament Attack Case
• The Bureau of Police Research and Development, Hyderabad had handled this case. A laptop was recovered
from the terrorist who attacked the Parliament. The laptop which was detained from the two terrorists, who
were gunned down on 13th December 2001 when the Parliament was under siege, was sent to Computer
Forensics Division of BPRD. The laptop contained several proofs that affirmed the two terrorist’s
motives, mainly the sticker of the Ministry of Home that they had created on the laptop and affixed
on their ambassador car to achieve entry into Parliament House and the fake ID card that one of the
two terrorists was carrying with a Government of India emblem and seal. The emblems (of the 3 lions) were
carefully scanned and additionally the seal was also craftly created together with a residential address of
Jammu and Kashmir. However careful detection proved that it was all forged and made on the laptop.
• Andhra Pradesh Tax Case
• The owner of the plastics firm in Andhra Pradesh was arrested and cash of Rs. 22 was
recovered from his house by the Vigilance Department. They wanted evidence from him
concerning the unaccounted cash. The suspected person submitted 6,000 vouchers to prove
the legitimacy of trade, however when careful scrutiny the vouchers and contents of his
computers it unconcealed that every one of them were made after the raids were conducted.
It had been concealed that the suspect was running 5 businesses beneath the presence of 1
company and used fake and computerized vouchers to show sales records and save tax. So
the dubious techniques of the businessman from the state were exposed when officials of
the department got hold of computers utilized by the suspected person.
• f) SONY.SAMBANDH.COM CASE

• India saw its 1st cybercrime conviction. This is the case where Sony India Private Limited filed a complaint
that runs a website referred to as www.sony-sambandh.com targeting the NRIs. The website allows NRIs to
send Sony products to their friends and relatives in India after they pay for it online. The company
undertakes to deliver the products to the involved recipients. In May 2002, somebody logged onto the web
site underneath the identity of Barbara Campa and ordered a Sony colour television set and a cordless head
phone. She requested to deliver the product to Arif Azim in Noida and gave the number of her credit card
for payment. The payment was accordingly cleared by the credit card agency and the transaction processed.
After the related procedures of dues diligence and checking, the items were delivered to Arif Azim by the
company. When the product was delivered, the company took digital pictures so as to indicate the delivery
being accepted by Arif Azim. The transaction closed at that, but after one and a half months the credit card
agency informed the company that this was an unauthorized transaction as the real owner had denied having
made the purchase.
• The company had filed a complaint for online cheating at the CBI that registered a case under the
Section 418, Section 419 and Section 420 of the IPC (Indian Penal Code). Arif Azim was
arrested after the matter was investigated. Investigations discovered that Arif Azim, whereas
acting at a call centre in Noida did gain access to the number of the credit card of an American
national which he misused on the company’s site. The CBI recovered the color television along
with the cordless head phone. In this matter, the CBI had proof to prove their case so the
accused admitted his guilt. The court had convicted Arif Azim under the Section 418, Section
419 and Section 420 of the IPC, this being the first time that a cybercrime has been convicted.
The court, felt that since the defendant was a boy of 24 years and a first-time convict, a
compassionate view needed to be taken. Thus, the court discharged the defendant on the
probation for one year.
• Some , Section 67 and Section 70 of the IT Act are also applied. In this case the hackers hacks
ones webpage and replace the homepage with pornographic or defamatory page
 Digital signature
• A digital signature is a mathematical scheme that validates the integrity or
authenticity of a given digital document or digital message. Digital signature
certificates are the electronic or digital equivalent of paper certificates. Digital
signature certificates validate your digital signature and for affixing digital signatures
to e-documents digital signature certificates are required. Generally certificates are
used to prove the identity of a person for particular purpose like driving license or
passport or pan card or others. Similarly digital signature certificates are used to
prove the identity of the person digitally to avail information or services on the
internet and to sign certain documents digitally.
• Class I DSC – Individuals get it for validating the email identification of the users and in
situations where risk is minimal and here the signature is stored in software.
• Class II DSC – Business organizations or individuals use this digital signature certificate to
validate the information given by the subscriber in the application against the information
available in a trusted consumer database and in other such situations where security risk is
moderate. In this case a hardware cryptographic device is used for storing the signature.
• Class III DSC – This digital certificate is directly issued by the certifying authority and it is
required that the person applying for DSC must be present at the certifying authority’s
premises and prove his/her identity in front of the authority and the security risk involved
in this case is very high. In this case also a hardware cryptographic device is used for
storing the signature.
 The Necessity of Digital Signature
Certificates
• For e-filing of the income tax returns by any individual, the Government of India has made it
mandatory to affix digital signatures to the income tax returns documents.
• For affixing the digital signature one must have digital signature certificates issued by licensed
certification authority.
• In addition, Ministry of Corporate Affairs has set the mandatory guidelines for the
companies directing them to file all reports, applications and forms using a digital signature
only and this again requires a digital signature certificate.
• For GST also a company must verify its GST application by affixing a digital signature using
digital signature certificate in order to get registered for GST.
• These days many Government procedures, filling different applications, amendments and forms
require digital signatures made by using digital signature certificates.
• Applying the Signature
• 1. When you click "sign", a unique digital fingerprint (called a hash) of the
document is created using a mathematical algorithm. This hash is specific to this
particular document; even the slightest change would result in a different hash.
• 2. The hash is encrypted using the signer's private key. The encrypted hash and the
signer's public key are combined into a digital signature, which is appended to the
document.
• 3. The digitally signed document is ready for distribution.
• Verifying the Signature
• 1. When you open the document in a digital signature-capable program (e.g., Adobe Reader,
Microsoft Office), the program automatically uses the signer's public key (which was
included in the digital signature with the document) to decrypt the document hash.
• 2. The program calculates a new hash for the document. If this new hash matches the
decrypted hash from Step 1, the program knows the document has not been altered and
displays messaging alone the lines of, "The document has not been modified since this
signature was applied."
• The program also validates that the public key used in the signature belongs to the signer
and displays the signer's name.