2. IT Act, 2000
Enacted on 17th
May
2000- India is 12th
nation in the world to
adopt cyber laws
IT Act is based on
Model law on e-
commerce adopted by
UNCITRAL
3. Objectives of the IT Act
To provide legal recognition for transactions:-
Carried out by means of electronic data
interchange, and other means of electronic
communication, commonly referred to as
"electronic commerce“
To facilitate electronic filing of documents with
Government agencies and E-Payments
To amend the Indian Penal Code, Indian Evidence
Act,1872, the Banker’s Books Evidence Act
1891,Reserve Bank of India Act ,1934
4. Extent of application
Extends to whole of India and also applies to any
offence or contravention there under committed
outside India by any person {section 1 (2)} read
with Section 75- Act applies to offence or
contravention committed outside India by any
person irrespective of his nationality, if such act
involves a computer, computer system or network
located in India
5. Definitions ( section 2)
"electronic record" means date, record or date generated, image or
sound stored, received or sent in an electronic form or micro film or
computer generated micro fiche;
“secure system” means computer hardware, software, and
procedure that-
(a) are reasonably secure from unauthorized access and misuse;
(b) provide a reasonable level of reliability and correct operation;
(c) are reasonably suited to performing the intended function; and
(d) adhere to generally accepted security procedures
“security procedure” means the security procedure prescribed by
the Central Government under the IT Act, 2000.
secure electronic record – where any security procedure has been
applied to an electronic record at a specific point of time, then such
record shall be deemed to be a secure electronic record from such
point of time to the time of verification
6. Act is not applicable to…
(a) a negotiable instrument (Other than a cheque) as defined
in section 13 of the Negotiable Instruments Act, 1881;
(b) a power-of-attorney as defined in section 1A of the
Powers-of-Attorney Act, 1882;
(c) a trust as defined in section 3 of the Indian Trusts Act,
1882;
7. Act is not applicable to…
(d) a will as defined in clause (h) of section 2 of
the Indian Succession Act, 1925 including any
other testamentary disposition
(e) any contract for the sale or conveyance of
immovable property or any interest in such
property;
(f) any such class of documents or
transactions as may be notified by the Central
Government
9. DIGITAL SIGNATURE
Digital signature means authentication of any electronic
record by a subscriber by means of an electronic method
or procedure.
CREATION OF DIGITAL SIGNATURE
To sign an electronic record or any other item of
information the signer shall first apply the hash function
in the signers software.
The signers software transform the hash result into a
digital signature using signers private key.
The digital signature shall be attached to its electronic
record and stored or transmitted with the electronic
record.
10. Manner in which information be authenticated by
means of digital signature :
A digital signature shall-
a.Be created and verified by cryptography
b.Use what is known as “PUBLIC KEY
CRYPTOGRAPHY”.
Verification of digital signature
Verification means to determine whether:-
a.The initial electronic record was affixed.
b.The initial electronic record is retained.
11. DIGITAL SIGNATURE CERTIFICATE
REPRESENATION UPON ISSUANCE OF
DIGITAL SIGNATURE CERTIFICATE
EXPIRY OF DIGITAL SIGNATURE
CERTIFICATE
FEES FOR ISSUE OF DIGITAL SIGNATURE
CERTIFICATE
CONTENT OF DIGITAL SIGNATURE
CERTIFICATE
12. GENERATION OF DIGITAL SIGNATURE
CERTIFICATE
COMPROMISE OF DIGITAL SIGNATURE
CERTIFICATE
SUSPENSION OF DIGITAL SIGNATURE
CERTIFICATE.
ARCHIVAL OF DIGITAL SIGNATURE
CERTIFICATE
13. ELECTRONIC SIGNATURE
Electronic signature means authentication of any
electronic record by a subscriber of the electronic
technique specified in the second schedule and
includes digital signature.
The electronic signature was adopted by the United
Nation Commission on International Trade Law in the
year 2001 which came into force from 27.10.2009
14. Rules In Respect Of Electronic Signature :
Electronic Signature Certificate
Certification Practice Statement
SUBSCRIBER
Subscriber means a person in whose name the
digital/electronic signature certificate is issued.
The method used to verify and authenticate the identity
of a subscriber is known as “Subscriber Identity
Verification Method”.
Duties Of Subscriber
1.Generating key pair
2.On acceptance of Digital Signature Certificate
3.Control of private key
16. Electronic Commerce
EC transactions over the
Internet include
Formation of Contracts
Delivery of Information and
Services
Delivery of Content
Future of Electronic
Commerce depends on
“the trust that the transacting
parties place in the security
of the transmission and
content of their
communications”
17. Electronic World
Electronic document produced by a
computer. Stored in digital form,
and cannot be perceived without
using a computer
It can be deleted, modified and
rewritten without leaving a mark
Integrity of an electronic
document is “genetically”
impossible to verify
A copy is indistinguishable from
the original
It can’t be sealed in the
traditional way, where the author
affixes his signature
The functions of identification,
declaration, proof of electronic
documents carried out using a
digital signature based on
cryptography.
18. Electronic World
Digital signatures created and verified using cryptography
Public key System based on Asymmetric keys
An algorithm generates two different and related keys
Public key
Private Key
Private key used to digitally sign.
Public key used to verify.
19. Public Key Infrastructure
Allow parties to have free access to the signer’s
public key
This assures that the public key corresponds to
the signer’s private key
Trust between parties as if they know one another
Parties with no trading partner agreements,
operating on open networks, need to have
highest level of trust in one another
20. Government has to provide the definition of
the structure of PKI
the number of levels of authority and their juridical
form (public or private certification)
which authorities are allowed to issue key pairs
the extent to which the use of cryptography should
be authorised for confidentiality purposes
whether the Central Authority should have access to
the encrypted information; when and how
the key length, its security standard and its time
validity
Role of the Government
21. Certificate based Key
Management
Operated by trusted-third party - CA
Provides Trading Partners
Certificates
Notarises the relationship between a
public key and its owner
CA
User A User B
CA A B
CA A CA B
22. Section 4- Legal recognition of
Electronic Records
If any information is required in printed or written form under
any law the Information provided in electronic form, which is
accessible so as to be usable for subsequent use, shall be
deemed to satisfy the requirement of presenting the
document in writing or printed form.
23. Sections 5, 6 & 7
Legal recognition of Digital Signatures
Use of Electronic Records in Government & Its
Agencies
Publications of rules and regulations in the Electronic
Gazette.
Retention of Electronic Records
Accessibility of information, same format, particulars of
dispatch, origin, destination, time stamp ,etc
24. CCA has to regulate the
functioning of CAs in the country by-
Licensing Certifying Authorities (CAs) under section
21 of the IT Act and exercising supervision over their
activities.
Certifying the public keys of the CAs, i.e. their Digital
Signature Certificates more commonly known as
Public Key Certificates (PKCs).
Laying down the standards to be maintained by the
CAs,
Addressing the issues related to the licensing
process
25. The licensing process
Examining the application and accompanying documents as
provided in sections 21 to 24 of the IT Act, and all the Rules
and Regulations there- under;
Approving the Certification Practice Statement(CPS);
Auditing the physical and technical infrastructure of the
applicants through a panel of auditors maintained by the
CCA.
26. Audit Process
Adequacy of security policies and implementation thereof;
Existence of adequate physical security;
Evaluation of functionalities in technology as it supports CA
operations;
CA’s services administration processes and procedures;
Compliance to relevant CPS as approved and provided by
the Controller;
Adequacy to contracts/agreements for all outsourced CA
operations;
Adherence to Information Technology Act 2000, the rules
and regulations thereunder, and guidelines issued by the
Controller from time-to-time.
28. ADJUDICATION
Every Adjudicating Officer shall have the powers of a Civil Court which
are conferred on the Cyber Appellate Tribunal and all proceedings
before the Adjudicating Officer shall be deemed to be a Civil Court. [sec
46].
While Adjudging the quantum of compensation, the Adjudicating Officer
shall have due regard to the following factors:
I. the amount of unfair advantage, wherever quantifiable, made as a result
of the default.
II.The amount of the loss caused to any person as a result of the default.
III.The repetitive nature of the default. [sec 47].
29. ADJUDICATION
Officer not below the rank of a director to the government or an equivalent
officer of a State Government, possessing the prescribed experience in the
field of Information technology and legal or judicial experience, shall be
appointed as an Adjudicating Officer by the CG to adjudge whether any person
has committed a contravention of any of the provisions of the Act, or of any
rule, regulation, direction or order made thereunder which renders him liable to
pay penalty or compensation
The claim for injury or damage should not exceed rupees five crores.
The jurisdiction in respect to claim for injury or damage exceeding rupees five
crores shall vest with competent court.
Person liable to pay shall be given a reasonable opportunity for making
representation in the matter.
After such an inquiry, if the adjudicating officer is satisfied that the person is
liable to pay he may impose the penalty he thinks fit in accordance with the
provisions of the applicable section
30. OFFENCES, COMPENSATION
AND PENALTIES
1. Penalty and compensation for damage to computer, computer system etc:
If any person, without permission of the owner or any other person who is in
charge of the computer, computer system or computer network –
a. Accesses or secures access to such computer, computer system or computer
network;
b. Downloads, copies, extracts any data, computer database, or information;
c. Introduces any computer virus;
d. Damages or causes to damage the computer;
e. Disrupts or causes disruption;
f. Denies or causes to denial of access to any person authorized to access;
g. Steals,conceals,destroys .
(Upto 3 yrs or upto upto 5 lacs or both)
35. Section 65: Source Code
Most important asset of software
companies
“Computer Source Code" means the
listing of programmes, computer
commands, design and layout
Ingredients
Knowledge or intention
Concealment, destruction, alteration
computer source code required to be
kept or maintained by law
Punishment
imprisonment up to three years and / or
fine up to Rs. 2 lakh
36. Section 66: Hacking
• Ingredients
– Intention or Knowledge to cause wrongful loss
or damage to the public or any person
– Destruction, deletion, alteration, diminishing
value or utility or injuriously affecting
information residing in a computer resource
• Punishment
– imprisonment up to three years, and / or
– fine up to Rs. 2 lakh
• Cognizable, Non Bailable,
Section 66 covers data theft aswell as data alterationSection 66 covers data theft aswell as data alteration
37. Sec. 67. Pornography
Ingredients
Publishing or transmitting or causing to be published
in the electronic form,
Obscene material
Punishment
On first conviction
imprisonment of either description up to five years and
fine up to Rs. 1 lakh
On subsequent conviction
imprisonment of either description up to ten years and
fine up to Rs. 2 lakh
Section covers
Internet Service Providers,
Search engines,
Pornographic websites
Cognizable, Non-Bailable, JMIC/ Court of Sessions