Law
Information and Communication Technology An Overview of the I.T. Act 2000
Law
Information and Communication Technology An Overview of the I.T. Act 2000
Law
Information and Communication Technology
An Overview of the I.T. Act 2000
Role Name Affiliation Principal
Investigator Prof. (Dr.) Ranbir
Singh Vice Chancellor,
National Law University, Delhi Co-Principal
Investigator Prof. (Dr.) G.S.
Bajpai Registrar, National
Law University Delhi
Paper Coordinator Dr. Aparajita Bhatt Assistant Professor, National Law University Delhi Content
Writer/Author
Dr. Atul Kumar Pandey
Assistant Professor, National Law Institute University, Bhopal
Content Reviewer Mr. Pavan Duggal Advocate, Supreme Court of India
DESCRIPTION OF MODULE
Items Description of Module
Subject Name Law
Paper Name Information and Communication Technology Module Name/Title An Overview of the I.T. Act 2000
Module Id III
Objectives Learning the:
Regulatory framework for cyberspace
Overall understanding of provisions related to-
o e-commerce &e-contract
o Digital signature cyber contravention o Cyber offences and data privacy and o Other related aspects
Prerequisites General Information about information technology
Key words Intermediary, Cyber Offence, Unauthorized Access, Cyber Contravention.
Learning Outcome:
This over view of the Information Technology Act, 2000 enables the reader to be aware of generic structure of law pertaining to Information Technology Law in India.
1. Introduction
Long before the inception of computers in our lives, any kind of contract or similar transactions used to be normally done using a paper as a preferred medium, which is then signed by the contracting parties, and then the document acquired its legal recognition. Since the last two decades the intrusion of computer and internet in our day-to-day work, has made things both simple and complex at the same time. The comprehensive usage and user friendliness of the computer and the internet may be easily traced back to the various specific and mundane aspects and activities of our day-to-day inclusive affair that touches our lives every now and then such as, communication, shopping, contracting etc. Given the situation, wherein the usage of a computer keeps on breaking all old records and continues to set new benchmarks of a complex human-machine interaction or usage, it no doubt perpetually sets
new horizon of standardization in terms of time and space. Imagine making a contract on a document, which has been fed into a computer. An immediate question that arises is that, as to will the same be recognized at par with that of a paper document? Moreover it may be skeptical for some to fathom as to, will that document be given legality without the signatures of the interested parties? or, as to how will it be possible for the parties to put the signatures on such a document which is made and saved in a computer? Such problems are then recognized, consolidated and solved with the enactment of the Information Technology Act, 2000 (hereinafter referred to as the IT Act, 2000). Before jumping into the overview and the content of the IT Act, 2000, let us (re)visit the history of the enactment of IT Act, 2000.
The General Assembly of the United Nations by its resolution A/RES/51/162, dated the 30th January, 1997 adopted the Model Law on Electronic Commerce adopted by the United Nations Commission on International Trade Law (UNCITRAL) and recommended that all the member countries shall adopt the UNCITRAL Model Law and accordingly amend and revise their existing laws. Subsequently, in India the Information Technology Bill was passed by both the houses of the Parliament and hence the IT Act, 2000 got enacted to align with the international mother law. Therefore, the genesis of the IT Act, 2000, may be traced back to the roots of the Model law of E-commerce adopted by UNCITRAL in 1996. The IT Act, 2000 had been enacted with prime motive to determine the use, abuse and the misuse of the digital medium and its regulation in the country. A brief journey into the legislative history of the birth of the IT Act, 2000 has been summarized in the following paragraph.
The Ministry of Commerce, Government of India created the first draft of the legislation following the guidelines termed as “E Commerce Act 1998”. Subsequently, a separate ministry for Information Technology was created; the draft was taken over by the new ministry, which re-drafted the legislation as “Information Technology Bill, 1999”. The new draft was placed before the Parliament in December 1999, which was finally passed in May 2000. After the assent of the President of India on June 9, 2000, the Information technology Act, 2000 was notified with effect from October 17, 2000.
The applicability of The IT Act, 2000 as written clearly, extends to the whole of India. Except as otherwise provided, it also applies to any offence or contravention thereunder, committed outside India by any person. The IT Act, 2000 has 13 Chapters and 90 Sections which deals with heads like- legal recognition of electronic records, legal recognition of digital signatures, offences and contraventions and justice dispensation systems for cyber crimes, which will later on be elaborated in this module.
2: The UNCITRAL and the need for IT Act, 2000
The introducing of such a standard law in various countries was strongly felt by the UNCITRAL. This was solely because there was an urgent need to create uniformity of the law applicable to alternatives to paper-based methods of communication and storage of information. The initiative was taken to create harmony between various laws within a country and also to take one step towards creating the same effect internationally. Also with the increased usage of computer and internet, the paper based documents were gradually been replaced by the electronic documents. Henceforth it is evident that offences relating to documents, and paper based transactions also moved in the digital medium, various electronic fund transfers between the financial institutions started happening and the banks started maintaining books of account in the electronic form. Therefore, a strong urge to give a regulatory framework to all these activities became the need of the hour and so UNCITRAL Model Law took the initiative and directed all its member countries including India to pass laws akin to the Information Technology Act, 2000 inter-alia amending the existing laws.
Moreover, it may be noted, that since the use of the digital medium was increasing which pervaded the other domains, the need for a regulator become necessary. The need of drafting legislation for the law related to E-commerce and internet become very urgent because of some of the peculiar features of the cyber space. Some of the aforesaid bottlenecks which are peculiar to the cyber space, may be cited for example, as the absence of a technically defined physical boundary, limits the scope for any single entity to govern the whole of the internet and its activities. Since there is no possibility of handwritten documents and signatures, seals, thumb impressions etc. to prove the identity of a person or entity in the cyber space, hence, without a formulated legislation the cyber world would have been nothing but an unbridled horse. All the above reasons therefore subscribed to the need to have a legislation solely dedicated to these and may such other issues of information technology, eventually resulting into the enactment of the IT Act, 2000.
3: Objectives of the IT Act, 2000
The preamble of the IT Act, 2000 clearly states the three main objectives. A legislation to provide for, a legal recognition for the transactions that are carried out by means of electronic data interchange and other means of electronic communication (commonly referred to as
“electronic commerce”), involving the use of alternatives to paper-based methods of communication and storage of information, to facilitate electronic filing of documents with the Government agencies. Nevertheless, to amend the Indian Penal Code, 1860, the Indian Evidence Act, 1872, the Bankers' Books Evidence Act, 1891 and the Reserve Bank of India Act, 1934 and for matters connected therewith or incidental thereto. The further illustrations of these objectives are as follows:
There is a need to facilitate e-commerce by providing for legal recognition of electronic records and digital signatures.
This law enables the conclusion of electronic contracts and the creation of rights and obligations through the electronic medium.
Another objective of the IT Act, 2000 is to provide a regulatory regime to supervise the Certifying Authorities1issuing Digital Certificates2.
The statute aims to prevent the possible misuse arising out of electronic-transactions and other dealings concluded over the electronic medium.
The IT Act, 2000 also aims to create civil and criminal liabilities for contravention of the provisions of the said legislation.
The statute also aims at the achievement of the Electronic Governance; as the law allows the use and acceptance of electronic records and digital signatures in the Government offices and its agencies. This will facilitate the citizen’s interaction with the Governmental offices.
1Section 2(g).“Certifying Authority” means a person who has been granted a licence to issue a 5[electronic signature] Certificate under section 24; of the ITA, 2000.
2Section 2(q)“Digital Signature Certificate” means a Digital Signature Certificate issued under sub- section (4) of section 35 of the ITA, 2000.
a need to facilitate
e-commerce enables the conclusion of electronic contracts
to provide a regulatory regime to supervise
the Certifying Authorities issuing Digital Certificates.
to prevent the possible misuse arising out of electronic-transactions
to create civil and criminal liabilities
With the migration of the document related offences, and those relating to the paper based transactions to the digital medium, the need to effect relevant and compatible changes in other general statutes became unavoidable. The IT Act, 2000 (a special enactment) included provisions that inter-alia induced such amendments to the corresponding provisions in the Indian Penal Code, 1860 and the Indian Evidence Act, 1872. Moreover, the various electronic fund transfers between the financial institutions started happening thereby necessitating the amendment of the Reserve Bank of India Act, 1934 on the one hand, whereas the banks started maintaining books of account in the electronic form thereby amending the Bankers Book Evidence Act, 1891 on the other hand.
4: Definition of Certain Important terms in the IT Act, 2000
Before understanding the basic content of the IT Act, 2000 it is essential to know the precise definition and scope of certain important terms. This not only avoids misinterpretations but also ensures standardization and limits the scope of their meaning. Moreover, it plays a vital role in structuring the whole statute altogether thereby minimizing the chances of unnecessary ambiguities. For a better understanding of any enacted statute, definitions of the technical and key terms are thus necessary. Section 2 of the IT Act defines certain terms, key words. An inclusive list of such words and terms are reproduced as under:
“Access”3with its grammatical variations and cognate expressions means gaining entry into, instructing or communicating with the logical, arithmetical, or memory function resources of a computer, computer system or computer network.
“Computer”4means any electronic magnetic, optical or other high-speed data processing device or system which performs logical, arithmetic, and memory functions by
3See, Section 2(a) of the ITA, 2000.
Access Computer Data Electronic
Record Cyber
Security
manipulations of electronic, magnetic or optical impulses, and includes all input, output, processing, storage, computer software, or communication facilities which are connected or related to the computer in a computer system or computer network.
“Computer resource”5 means computer, computer system, computer network, data, computer data base or software.
“Computer system”6means a device or collection of devices, including input and output support devices and excluding calculators which are not programmable and capable of being used in conjunction with external files, which contain computer programmes, electronic instructions, input data and output data, that performs logic, arithmetic, data storage and retrieval, communication control and other functions.
“Data”7means a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalized manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer.
“Digital signature”8means authentication of any electronic record by a subscriber by means of an electronic method or procedure in accordance with the provisions of the Act.
“Electronic record”9 means data, record or data generated, image or sound stored, received or sent in an electronic form or micro film or computer generated micro fiche.
“Secure system”10means computer hardware, software, and procedure that- (a) are reasonably secure from unauthorized access and misuse;
(b) provide a reasonable level of reliability and correct operation;
(c) are reasonably suited to performing the intended functions; and (d) adhere to generally accepted security procedures.
Apart from all these important terms, certain terms like addressee, adjudicating officer, appropriate Government, asymmetric crypto system, certifying authority, certification practice statement, communication device, computer network, controller, cyber appellate tribunal, cyber café, cyber security, digital signature certificate, electronic form, electronic gazette, electronic signature, function, Indian Computer Emergency Response Team,
4See, Section 2(i) of the ITA, 2000.
5See, Section 2(k) of the ITA, 2000.
6See, Section 2(l) of the ITA, 2000.
7See, Section 2(o) of the ITA, 2000.
8See, Section 2(p) of the ITA, 2000.
9See, Section 2(t) of the ITA, 2000.
10See, Section 2(ze) of the ITA, 2000.
information, intermediary, key pair, law, licence, originator, prescribed, private key, public key, security procedure, subscriber, verify, Sensitive personal data are also defined clearly.
5: Content of the IT Act, 2000
Keeping the objectives of the said enactment in mind, the basic and major contents that are dealt under the various provisions of the IT Act, 2000 can be broadly classified under the following heads: (a) Electronic records, (b) Digital Signatures, (c) Contraventions and Offences, (d) Cyber Appellate Tribunal, (e) Protection to Network Service Providers in certain situations. A brief overview of the aforementioned five broad classifications has been laid down in the following paragraphs.
Electronic records
The introduction of IT Act has provided the legal recognition of Electronic Documents as that of the printed documents. Section 411of the IT Act discusses about the legal recognition of electronic records. It provides, that any information that has been made available in the electronic form and is accessible, to be usable, will be treated legally in the same way as in the case of any information or matter that has been inscribed in writing or is typewritten or is in a printed form, by the law in force.
This provision has deemed the electronic documents to be treated as valid evidences in the court of law. The Chapter 3 of the IT Act, 2000 deals with the electronic governance. It talks about the use of e-records in the government and its agencies in Section 612. Moreover, in Section 713the procedure and prerequisite for the retention
11Section 4.Legal recognition of electronic records- Where any law provides that information or any other matter shall be in writing or in the typewritten or printed form, then, notwithstanding anything contained in such law, such requirement shall be deemed to have been satisfied if such information or matter is—
(a) rendered or made available in an electronic form; and (b)accessible so as to be usable for a subsequent reference.
12Section 6.Use of electronic records and digital signatures in Government and its agencies - (1) Where any law provides for—
(a) the filing of any form. application or any other document with any office, authority, body or agency owned or controlled by the appropriate Government in aparticular manner;
(b)the issue or grant of any licence, permit, sanction or approval by whatever name called in a particular manner;
(c) the receipt or payment of money in a particular manner, then, notwithstanding anything contained in any other law for the time being in force, such requirement shall be deemed to have been satisfied if such filing, issue, grant, receipt or payment, as the case may be, is effected by means of such electronic form as may be prescribed by the appropriate Government.
(2) The appropriate Government may, for the purposes of sub-section (1), by rules, prescribe—
(a) the manner and format in which such electronic records shall be filed, created or issued;
(b)the manner or method of payment of any fee or charges for filing, creation or issue any electronic record under clause (a).
13Section 7.Retention of electronic records.(1) Where any law provides that documents, records or information hall be retained for any specific period, then, that requirement shall be deemed to have been satisfied if such documents, records or information are retained in the electronic form, if—
of the e-records is given, which ultimately leads to the timely audit of the preserved documents as per the Section 7A14. This chapter also gives the legal recognition to any contract made using electronic medium in Section 10A15.
Digital Signatures
The Information Technology Act (Amendment), 2000 (hereinafter will be referred to as ITAA) has adopted the electronic signatures as a legal way of signing an electronic document. Specifically, Section 516 of the IT Act provides legal recognition to electronic signature. This Section prescribes that any document in electronic form can be authenticated using electronic signatures in the same way as a printed or typewritten document signed manually. Section 317 of the IT Act describes the
(a) the information contained therein remains accessible so as to be usable for a subsequent reference;
(b)the electronic record is retained in the format in which it was originally generated, sent or received or in a format which can be demonstrated to represent accurately the information originally generated, sent or received;
(c) the details which will facilitate the identification of the origin, destination, date and time of despatch or receipt of such electronic record are available in the electronic record:
Provided that this clause does not apply to any information which is automatically generated solely for the purpose of enabling an electronic record to be despatched or received.
(2) Nothing in this section shall apply to any law that expressly provides for the retention of documents, records or information in the form of electronic records.
14Section 7A.Audit of documents etc., maintained in electronic form. - Where in any law for the time being in force, there is a provision for audit of documents, records or in- formation, that provision shall also be applicable for audit of documents, records or information processed and maintained in the electronic form
15 Section 10 A. Validity of contracts formed through electronic means. - Where in a contract formation, the communication of proposals, the acceptance of proposals, the revocation of proposals and acceptances, as the case may be, are expressed in electronic form or by means of an electronic record, such contract shall not be deemed to be un- enforceable solely on the ground that such electronic form or means was used for that purpose.
16Section 5.Legal recognition of [electronic signatures]. - Where any law provides that information or any other mater shall be authenticated by affixing the signature or any document should be signed or bear the signature of any person then, notwithstanding anything contained in such law, such requirement shall be deemed to have been satisfied, if such information or mater is authenticated by means of [electronic signatures] affixed in such manner as may be prescribed by the Central Government.
Explanation.—For the purposes of this section, “signed”, with its grammatical variations and cognate expressions, shall, with reference to a person, mean affixing of his hand written signature or any mark on any document and the expression “signature” shall be construed accordingly.
17Section 3.Authentication of electronic records. - (1) Subject to the provisions of this section any subscriber may authenticate an electronic record by afixing his digital signature.
(2) The authentication of the electronic record shalbeefected by the use of asymmetric crypto system and hash function which envelop and transform the initial electronic record into another electronic record.
Explanation.—For the purposes of this sub-section, “hash function” means an algorithm maping or translation of one sequence of bits into another, generalysmaler, set known as “hash result”such that an electronic record yields the same hash result every time the algorithm is executed with the same electronic record as its input making it computationally infeasible—
method of authenticating the electronic records by means of “asymmetric crypto”18 system and hash function. The Central Government has prescribed the conditions for considering reliability of an electronic signature under Section 3A (2)19, while assurance and validity of the electronic signature has been provided under Section 3A (3)20. The duties of the subscriber of electronic signature certificate have been dealt under Section 40A21. In order to ensure and promote the use of internet and secure electronic commerce the Central Government has prescribed the methodology for encryption under Section 84A22.
(a) To derive or reconstruct the original electronic record from the hash result produced by the algorithm;
(b) thatwo electronic records can produce the same hash result using the algorithm.
(3) Any person by the use of a public key of the subscriber can verify the electronic record.
(4) The private key and the public key are unique to the subscriber and constitute a functioning key pair.
18See Section 2 (f) -“asymmetric crypto system” means a system of a secure key pair consisting of a private key for creating a digital signature and a public key to verify the digital signature.
19Section 3A (2).Electronic signature. -(1) …
(2) For the purpose of this section any electronic signature or electronic authentication technique shall be considered reliable if -
(a) the signature creation data or the authentication data are, within the context in which they are used, linked to the signatory or, as the case may be, the authenticators and to no other person;
(b) the signature creation data or the authentication data were, at the time of signing ,under the control of the signatory or, as the case may be, the authenticators and of no other person;
(c) any alteration to the electronic signature made after affixing such signature is detectable;
(d) any alteration to the information made after its authentication by electronic signature is detectable; and
(e) it fulfils such other conditions which may be prescribed.
20Section 3A (2).Electronic signature. -(1) … (2)…
(3)The Central Government may prescribe the procedure for the purpose of ascertaining whether electronic signature is that of the person by whom it is purported to have been affixed or authenticated.
21Section 40A.Duties of subscriber of Electronic Signature Certificate. - In respect of Electronic Signature Certificate the subscriber shall perform such duties as may be pre- scribed.
22Section 84A.Modes or methods for encryption. - The Central Government may, for secure use of the electronic medium and for promotion of e-governance and e- commerce, prescribe the modes or methods for encryption.
Offenses and Contraventions
“Cybercrime” has not been defined under the IT Act, 2000 or for that matter any other legislations in India. Practically speaking, it is difficult to define cybercrime as a term, since it is very subjective by nature. In Indian context, cybercrime has been bifurcated into “offences” and “contraventions”. The ITAA demarcates the difference between the two terms based on the quantum and nature of offence.
Section 4323 of ITAA (cyber contraventions) deals with illegitimate access,
23Section 43. Penalty and compensation] for damage to computer, computer systems, etc.—If any person without permission of the owner or any other person who is incharge of a computer, computer system or computer network,—
(a) accesses or secures aces to such computer, computer system or computer network or computer resource
(b) downloads, copies or extracts any data, computer data base or information from such computer, computer system or computer network including in- formation or data held or stored in any removable storage medium;
(c) introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or computer network;
(d) damages or causes to be damaged any computer, computer system or computer network, data, computer data base or any other programmes residing in such computer, computer system or computer network;
(e) disrupts or causes disruption of any computer, computer system or computer network;
Offenses and Contraventions
“Cybercrime” has not been defined under the IT Act, 2000 or for that matter any other legislations in India. Practically speaking, it is difficult to define cybercrime as a term, since it is very subjective by nature. In Indian context, cybercrime has been bifurcated into “offences” and “contraventions”. The ITAA demarcates the difference between the two terms based on the quantum and nature of offence.
Section 4323 of ITAA (cyber contraventions) deals with illegitimate access,
23Section 43. Penalty and compensation] for damage to computer, computer systems, etc.—If any person without permission of the owner or any other person who is incharge of a computer, computer system or computer network,—
(a) accesses or secures aces to such computer, computer system or computer network or computer resource
(b) downloads, copies or extracts any data, computer data base or information from such computer, computer system or computer network including in- formation or data held or stored in any removable storage medium;
(c) introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or computer network;
(d) damages or causes to be damaged any computer, computer system or computer network, data, computer data base or any other programmes residing in such computer, computer system or computer network;
(e) disrupts or causes disruption of any computer, computer system or computer network;
Offenses and Contraventions
“Cybercrime” has not been defined under the IT Act, 2000 or for that matter any other legislations in India. Practically speaking, it is difficult to define cybercrime as a term, since it is very subjective by nature. In Indian context, cybercrime has been bifurcated into “offences” and “contraventions”. The ITAA demarcates the difference between the two terms based on the quantum and nature of offence.
Section 4323 of ITAA (cyber contraventions) deals with illegitimate access,
23Section 43. Penalty and compensation] for damage to computer, computer systems, etc.—If any person without permission of the owner or any other person who is incharge of a computer, computer system or computer network,—
(a) accesses or secures aces to such computer, computer system or computer network or computer resource
(b) downloads, copies or extracts any data, computer data base or information from such computer, computer system or computer network including in- formation or data held or stored in any removable storage medium;
(c) introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or computer network;
(d) damages or causes to be damaged any computer, computer system or computer network, data, computer data base or any other programmes residing in such computer, computer system or computer network;
(e) disrupts or causes disruption of any computer, computer system or computer network;
introduction of viruses to computer systems, denial of services to legitimate users, and causing damage or disruption to computer systems. With the advent of IT Act, 2000, Section 43 confines the punishment to be monetary in nature, with no upper limit for the penalty; which was amounting to one crore It may be noteworthy, that on the other hand Section 6624vastly covers all the acts that are mentioned under Section 43 but with an element of mensrea. The terms “dishonestly” or “fraudulently”
(meaning as provided under the Indian Penal Code, 1860) has been appended to the acts prescribed under Section 43 transforming the contraventions into offences, and quantum of punishment includes imprisonment for a term which may extend to three years or with monetary penalty which may extent to five lakh rupees or both.
(f) denies or causes the denial of aces to any person authorised to aces any computer, computer system or computer network by any means;
(g) provides any assistance to any person to facilitate aces to a computer, computer system or computer network in contravention of the provisions of this Act, roles or regulations made there under;
(h) charges the services availed of by a person to the account of another person by tampering with or manipulating any computer, computer system, or computer network,
(i) destroys, deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means;
(j) steal, conceals, destroys or alters or causes any person to seal, conceal, destroy or alter any computer source code used for a computer resource with an intention to cause damage;
he shall be liable to pay damages by way of compensation to the person so affected.
Explanation.—For the purposes of this section–
(i) “computer contaminant” means any set of computer instructions that are designed—
(a) to modify, destroy, record, transmit data or programme residing within a computer, computer system or computer network; or
(b) by any means to usurp the normal operation of the computer, computer system, or computer network;
(ii) “computer database” means a representation of information, knowledge, facts, concepts or instructions in text, image, audio, video that are being prepared or have been prepared in a formalised manner or have been produced by a computer, computer system or computer network and are in tended for use in a computer, computer system or computer network;
(iii) “computer virus” means any computer instruction, information, data or programme that destroys, damages, degrades or adversely affects the performance of a computer resource or attaches itself to another computer re- source and operates when a programme, data or instruction is executed or some other event takes place in that computer resource;
(iv) “damage” means to destroy, alter, delete, ad, modify or rearrange any computer resource by any means.
(v) “computer source code” means the listing of programs, computer commands, design and layout and programme analysis of computer resource in any form.
24Section 66.Computer related offences.—If any person, dishonestly or fraudulently, does any act referred to in section 43, he shal be punishable with imprisonment for a term which may extend to thre years or with fine which may extend to five lakh rupees or with both.
Explanation.—For the purpose of this section,—
(a) the word “dishonesty” shal have the meaning asigned to it in section 24 of the Indian Penal Code (45 of 1860).
(b) the word “fraudulently” shal have the meaning asigned to it in section 25 of the Indian Penal Code (45 of 1860).
Different offences under IT Act, 2000 have been defined in Chapter XI. Section 6525 deals with tampering of computer source codes and extends the meaning of computer source codes from any vital computer program to that of layout or design. Section 66A26mentions the punishment for sending menacing or annoying messages as well as the messages that may be misleading (about the origin) in nature. This Section perhaps covers the issue of phishing and spam. The quantum of punishment mentioned in Section 66A is imprisonment up to three years or fine or both.
However, this particular section has been under the knife because of various chaotic decisions. Section 66B27has been introduced by ITAA and deals with the acts of dishonestly retaining any stolen computer resource with the quantum of punishment as imprisonment for three years or fine of one lakh rupees or both.
Section 66C28 provides for the dishonest use of anyone’s digital signature and impersonation, and provides for a punishment with imprisonment which may extend to three years along with a liability of fine that may extend up to one lakh rupees or
25Section 65.Tampering with computer source documents. - Whoever knowingly or intentionally conceals, destroys or alters or intentionaly or knowingly causes another to conceal, destroy or alter any computer source code used for a computer, computer programme, computer system or computer network, when the computer source code is required to be kept or maintained by law for the time being in force, shal be punishable with imprisonment up to thre years, or with fine which may extend up to two lakh rupees, or with both.
Explanation.—For the purposes of this section, “computer source code” means the listing of programmes, computer Commands, design and layout and programme analysis of computer resource in any form.
26Section 66A.Punishment for sending ofensivemesages through communication service, etc.—Any person who sends, by means of a computer resource or a communication device,—
(a) any information that is groslyofensive or has meaning character, or
(b) any information which he knows to be false, but for the purpose of causing anoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred or ilwil, persistently by making use of such computer esource or a communication device; or (c) any electronic mail or electronic mail massage for the purpose of causing annoyance or
inconvenience or to deceive or to mislead the addressee or recipient about he origin of such massage, shall be punishable with imprisonment for a term which may extend to three years and with fine.
Explanation.—For the purposes of this section, terms “electronic mail” and “electronic mail message” means a message or information created to transmitted or received on a computer, computer system, computer resource or communication device including attachments in text, image, audio, video and any other electronic record, which may be transmitted with the message.
27Section 66B.Punishment for dishonestly receiving stolen computer resource or communication device. - Whoever dishonestly receives or retains any stolen computer resource or communication device knowing or having reason to believe the same to be stolen computer resource or communication device, shal be punished with imprisonment of either description for a term which may extend to thre years or with fine which may extend to rupes one lakh or with both.
28Section 66C.Punishment for identity theft. - Whoever, fraudulently or dishonestly make use of the electronic signature, pasword or any other unique identifcation feature of any other person, shal be punished with imprisonment of either description for a term which may extend to thre years and shal also be liable to fine which may extend to rupes one lakh.
both. The punishment prescribed under Section 66D29is of imprisonment that may extend to three years and shall be liable to fine which may extend to one lakh rupees or both for cheating using computer resource. A newly introduced section by ITAA deals with the issue of cyber terrorism whatsoever threatens the integrity, unity or sovereignty of India. The punishment for this section is imprisonment, which may extend upto imprisonment for life. Child pornography is one of the critical issues in Indian society, henceforth to control the menace appropriately Section 67B30has been introduced.
This section has prohibited the publication or transmission of material in any electronic medium which depicts children engaged in sexually explicit acts or conducts and the punishment is imprisonment for five years with monetary penalty that may extend to ten lakhs (in case of first offence) and seven years with fine of ten lakhs on subsequent offences. The newly introduced Section 66E31 of amended Information Technology Act deals with the acts of knowingly capturing and
29Section 66D. Punishment for cheating by personation by using computer resource. - Whoever, by means of any communication device or computer resource cheats by personation, shalbe punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to one lakh rupees.
30Section 67B. Punishment for publishing or transmitting of material depicting children in sexually explicit act, etc., in electronic form.—Whoever—
(a) publishes or transmits or causes to be published or transmitted material in any electronic form which depicts children engaged in sexually explicit act or conduct; or
(b) creates text or digital images, collects, seeks, browses, downloads, advertises, promotes, exchanges or distributes material in any electronic form depicting children in obscene or indecent or sexually explicit manner; or
(c) cultivates, entices or induces children to online relationship which one or more children for and on sexually explicit act or in a manner that may offend a reasonable adult on the computer resource; or
(d) facilitates abusing children online; or
(e) records in any electronic form own abuse or that of others pertaining to sexually explicit act with children, shall be punished on first conviction with imprisonment of either description for a term which may extend to five year and with fine which may extend to ten lakh rupees and in the event of second or subsequent conviction with imprisonment of either description for a term which may extend to seven years and also with fine which may extend to ten lakh rupees;
Provided that provisions of section 67, section 67A and this section does not extend to any book, pamphlet, paper, writing, drawing, painting representation or figure in electronic form–
(i) the publication of which is proved to be justified as being for the public good on the ground that such book, pamphlet, paper, writing, drawing, painting representation or figure is in the interest of science, literature, art or learning or other objects of general concern; or
(ii) which is kept or used for bona fide heritage or religious purpose.
Explanation—For the purpose of this section, “children” means a person who has not completed the age of 18 years.
31Section 66E.Punishment for violation of privacy.—Whosoever, intentionaly or knowingly captures, publishes ortransmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person, shall be punished with imprisonment which may extend to thre years or with fine not exceeding two lakh rupees, or with both.
publishing the image of private area of any person without his or her consent and hence covers the offence related to sexually explicit content. The quantum of punishment is imprisonment up to three years or fine up to two lakhs rupees or both.
Cyber Appellate Tribunals
The IT Act, 2000 has empowered Cyber Appellate Tribunals and Adjudicating Officers as quasi-judicial bodies that possesses the powers of civil as well as criminal courts. Section 4632of the IT Act, 2000 provides for the establishment of a quasi- judicial authority, adjudicating officer. The adjudicating powers of such officers has been defined in the same Section, to hear the contraventions mentioned under Chapter IX and the offences mentioned under Chapter XI of the IT Act, 2000 . Section 48 provides for the establishment of Cyber Appellate Tribunal (hereinafter will be referred to as CAT) as the first appellate body which can hear the appeal from the party not satisfied with the decision of adjudicating officer. The CAT consists of a chairperson and other members as prescribed by the Central Government under Section 48.
The decisions of CAT may be challenged before the High Court having the jurisdiction, within a time limit of 60 days from the date of communication of such order as mentioned under Section 6233of the IT Act, 2000 , although, the High Court can extend this limit for reasonable conditions. Section 46 defines that the person appointed to the post of adjudicating officer must be a government officer of a rank not below that of a Director or an equivalent rank, and must have experience in the field of Law as well as Information Technology. Section 61 bars the civil courts to have jurisdiction on the cases which has been delegated to the adjudicating officer or CAT as prescribed in the IT Act particularly for the cases where the claim for injury or damage is below 5 crore (as mentioned in Section 46 (1A)34).
32Section 46.Establishment of Cyber Apelate Tribunal.—(1) The Central Government shall, by notification, establish one or more apelate tribunals to be known as the Cyber Appellate Tribunal.
(2) The Central Government shal also specify, in the notification referred to in sub section (1), the maters and places in relation to which the Cyber Appellate Tribunal may exercise jurisdiction.
33Section 62.Apeal to High Court.—Any person agrieved by any decision or order of the Cyber Apelate Tribunal may file an apeal to the High Court within sixty days from the date of communication of the decision or order of the Cyber Appellate Tribunal to him on any question of fact or law arising out of such order:
Provided that the High Court may, if it is satisfied that the apelant was prevented by sufficient cause from fling the apeal within the said period, allow it o be filed within a further period not exceeding sixty days.
34Section 46 (1A).Power to adjudicate. (1)…
(1A) The adjudicating oficerapointed under sub-section (1) shall exercise jurisdiction to adjudicate maters in which the claim for injury or damage does not excedrupes five crore:
6: Procedures established by the IT Act, 2000
The enactment of the IT Act, 2000 also established certain procedures to be followed while following the footsteps of the law. The power to make rules and prescribe procedures has been given to the Central Government by the virtue of Section 87.The various procedures that
are established by the law are as follows:
a. The Cyber Regulation Appellant Tribunal Procedure Rules, 2000
These rules lays down the procedure that is to be followed by the Cyber Appellant Tribunal and the entity making any appeal to them or by the entity defending themselves. It prescribes the procedure, place, fee, contents for filing applications etc.. It also talks about the documents that should accompany the application; it further establishes the procedure for serving the notice to the respondent, the procedure to be followed by the respondent for defense etc.. The rules in addition to the above also provides for the sitting of tribunal, time of hearing, communication of orders to the parties. Moreover, the rules set the grounds for the working hours and sitting hours of the tribunal and the powers and functions of the Registrar.
b. The Information Technology (Security Procedure) Rules, 2004
These rules provides for the procedure that has to be followed to declare an electronic record and a digital signature to be secured. Like a secure electronic record is one that
Provided that he jurisdiction in respect of the claim for injury or damage exceeding rupees five crore shall vest with the competent court.
Part VI-Procedural Guidelines
The Cyber Regulation Appellant Tribunal Procedure Rules, 2000
The Information Technology (Security Procedure) Rules, 2004
The Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of
Information) Rules, 2009
The Information Technology (Procedure and Safeguard for Blocking For Access of Information By Public) Rules,
2009
The Information Technology (Procedure and Safeguard for Monitoring and Collecting Traffic Data and
Information) Rules, 2009
The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data
or Information) Rules, 2011
is been authenticated by means of a digital signature. On the other hand a procedure is given for declaring a digital signature secure.
c. The Cyber Appellant Tribunal (procedure for investigation of misbehavior or incapacity of chairperson and members) Rules, 2009
These rules lay down the procedure that is to be followed when a case is to be registered against the chairperson or the member of the Cyber Appellant Tribunal. A committee has to be formed for it, a judge needs to conduct the investigation and the powers are accordingly assigned to him, the rules establish the procedure for the suspension of the accused. The format and submission of the report is also provided.
d. The Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009
These rules are made in accordance with the Section 6935of the ITA, 2000, which gives power to the Central Government for interception, monitoring and decryption of information. The rules prescribe procedures for the interception, monitoring and decryption of information, the authorization of the government agencies and of the States which do the same beyond its jurisdiction. It provides for the procedure for issuing directions, which differs from case to case, along with the content of the direction, the period of its validity. The rules also authorize the agency to appoint a nodal officer and direct the intermediaries to provide assistance to the directions and appoint a designate officer for the same who will follow the directions, maintain
35Section 69.Power to issue directions for interception or monitoring or decryption of any information through any computer resource.—(1) Where the Central Government or a State Government or any of its officers specially authorised by the Central Government or the State Government, as the case may be, in this behalf may, if satisfied that it is necessary or expedient so to do, in the interest of the sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence, it may subject to the provisions of sub-section (2), for reasons to be recorded in writing by order, direct any agency of the appropriate Government to intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any information generated, transmitted, received or stored in any computer resource.
(2) The procedure and safeguards subject to which such interception or monitoring or decryption may be carried out, shall be such as may be prescribed.
(3) The subscriber or intermediary or any person in-charge of the computer resource shall, when called upon by any agency referred to in sub-section (1) extend all facilities and technical assistance to—
(a) provide access to or secure access to the computer resource generating transmitting, receiving or storing such information; or
(b) intercept, monitor, or decrypt the information, as the case may be; or (c) provide information stored in computer resource.
(4) The subscriber or intermediary or any person who fails to assist the agency referred to in sub-section (3) shall be punished with imprisonment for a term which may extend to seven years and shall also be liable to fine.
records and follow instruction. Moreover, it also prohibits the same without authorization.
e. The Information Technology (Procedure and Safeguard for Blocking For Access of Information by Public) Rules, 2009
These rules are made to comply with the provisions of the Section 69A36. It provides for the procedure for blocking of websites. Moreover, it states that only a designate officer has the authority to issue it under the powers and directions provided therein.
It also talks about making a request for the formation of a committee its regulation and examination. The rule states the process of order of a court for blocking of information and how the direction for same is to be given to the intermediaries and their liabilities.
f. The Information Technology (Procedure and Safeguard for Monitoring and Collecting Traffic Data and Information) Rules, 2009
These rules are made to establish procedure to be observed under Section 69B37, here also it is prescribed to have a authorized government agency for monitoring and
36Section 69A.Power to issue directions for blocking public access of any information through any computer resource.—(1) Where the Central Government or any of its officers specially authorised by it in this behalf is satisfied that it is necessary or expedient so to do, in the interest of sovereignty and integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above, it may subject to the provisions of sub-section (2), for reasons to be recorded in writing by order, direct any agency of the Government or intermediary to block for access by the public any information generated, transmitted, received or stored in any computer resource.
(2) The procedure and safeguards subject to which such blocking for access by the public may be carried out, shall be such as may be prescribed.
(3) The intermediary who fails to comply with the direction issued under sub-section (1) shall be punished with an imprisonment for a term which may extend to seven years and shall also be liable to fine..
37Section 69B.Power to authorise to monitor and collect traffic data or information through any computer resource for cyber security.—(1) The Central Government may, to enhance cyber security and for identification analysis and prevention of intrusion or spread of computer containment in the country, by notification in the Official Gazette, authorise any agency of the Government to monitor and collect traffic data or information generated, transmitted, received or stored in any computer resource.
(2) The intermediary or any person in-charge or the computer resource shall, when called upon by the agency which has been authorised under sub-section (1), provide technical assistance and extend all facilities to such agency to enable online access or to secure and provide online access to the computer resource generating, transmitting, receiving or storing such traffic data or information.
(3) The procedure and safeguards for monitoring and collecting traffic data or information, shall be such as may be prescribed.
(4) Any intermediary who intentionally or knowingly contravenes the provisions of sub-section (2) shall be punished with an imprisonment for a term which any extend to three years and shall also be liable to fine.
Explanation.—For the purpose of this section,—
(i) “computer contaminant” shall have the meaning assigned to it in section 43;
collection of information, also the liabilities and responsibilities of the intermediaries are set and the handling and safeguard and destruction the records are also prescribed.
g. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
This rule is made to be read with the Section 43A38 of the ITA, 2000 i.e., compensation for failure to protect data. Here a procedure is established by way of which a body-corporate shall furnish the personal data or information (including the sensitive personal data or information), the minimum security practices are prescribed and also the procedure for collection, retention, destruction, transfer and disclosure of such personal data or information is also given.
7: Guidelines given in The IT Act, 2000 Intermediary guidelines, 2011
In exercise of the powers conferred by clause (zg) of subsection (2) of Section 87 read with sub-section (2) of Section 79 of the Information Technology Act, 2000, the Central Government hereby makes these rules. This guidelines talks about the due diligence to be observed by intermediaries and has to be followed by them to exempt themselves from the liability. The rule specifies that the intermediary shall not knowingly host or publish any information or shall not initiate the transmission, select the receiver of transmission, and select or modify the information contained in the transmission. Also it is said that they shall
(ii) “traffic data” means any data identifying or purporting to identify any person, computer system or computer network or location to or from which the communication is or may be transmitted and includes communications
origin, destination, route, time, date, size, duration or type of underlying service and any other information.
38Section 43A.Compensation for failure to protect data.—Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, in negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.
Explanation.—For the purposes of this section,—
(i) “body corporate” means any company and includes a firm, soleproprietorship or other association of individuals engaged in commercial or professional activities;
(ii) “reasonable security practices and procedures” means security practices and procedures designed to protect such information from unauthorised access, damage, use modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit;
(iii) “sensitive personal data or information” means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.
not initiate the transmission, select the receiver of transmission, and select or modify the information contained in the transmission.
Guidelines for cyber cafe, 2011
These guidelines are framed in accordance with the Section 7939 of the IT Act, 2000. It provides procedure for the registration of a cyber café with a unique registration number with an agency called as registration agency. It provides for a process for maintaining the records of the Identification of User. The Cyber Cafe is required to keep a record of the user identification document by either storing a photocopy or a scanned copy of the document duly authenticated by the user and authorized by the representative of the cyber café. The cyber cafe may maintain an online version of the log register. The rules also give direction for the management of Physical Layout and computer resource. Moreover, an officer authorized by the registration agency, has been authorized by the rules to check or inspect a cyber café.
8: Major Amendments in the IT Act, 2000
When the Information Technology Act, 2000 came into force the prime objective of its enactment was to generate reliability on electronic commerce and to give legal recognition to the electronic records. Keeping these objectives in mind the whole enactment was designed.
As a result, various other issues remained untouched or neglected. But, with the advancement of technology and constant pestering by the experts in the field the IT Act, 2000 was amended. The most recent is the Information Technology Amendment Act, 2008 in which the
39Section 79.Exemption from liability of intermediary in certain cases.—(1) Notwithstanding anything contained in any law for the time being in force but subject to the provisions of sub- section (2) and (3), an intermediary shall not be liable for any third party information, data, or communication link made available or hosted by him.
(2) The provisions of sub-section (1) shall apply if—
(a) the function of the intermediary is limited to providing access to a communication system over which information made available by third parties is transmitted or temporarily stored or hosted; or
(b) the intermediary does not—
(i) initiate the transmission,
(ii) select the receiver of the transmission, and
(iii) select or modify the information contained in the transmission;
(c) the intermediary observes due diligence while discharging his duties under this Act and also observes such other guidelines as the Central Government may prescribe in this behalf.
(3) The provisions of sub-section (1) shall not apply if—
(a) the intermediary has conspired or abetted or aided or induced, whether by threats or promise or otherwise in the commission of the unlawful act;
(b) upon receiving actual knowledge, or on being notified by the appropriate Government or its agency that any information, data or communication link residing in or connected to a computer resource controlled by the intermediary is being used to commit the unlawful act, the intermediary fails to expeditiously remove or disable access to that material on that resource without vitiating the evidence in any manner.
Explanation.—For the purpose of this section, the expression “third party information” means any information dealt with by an intermediary in his capacity as an intermediary.
certain pertinent amendments were made. The amended IT Act, 2000 has the following salient features:
The new amendment brought Section 43A, which states that if a body corporate fails to protect the sensitive personal information, they are legally obliged to pay damages.
Two very important definitions are added to the IT Act, 2000 through IT Amendment Act,2008- Section 2(ha)- “communication device “ and Section 2 (w) –
“intermediary”
Section 66 has been amended to include offences punishable as per Section 43, which has also been amended to include offences like introduction of virus, manipulating accounts, denial of services etc.
Another Section which got added is Section 66A. Through this Section sending of menacing, annoying messages and also misleading information about the origin of the message has become punishable with imprisonment up to three years and fine.
Moreover, spamming and phishing will be covered indirectly under it.
Dishonestly receiving and retaining any stolen computer resource or communication device is also made punishable by amendment brought under Section 66B.
“Identity Theft”, As per Section 66C any dishonest use of somebody else’s digital identity has been made punishable with imprisonment which may extend to three years and shall also be liable to fine which may extend to rupees one lakh.
“Child Pornography”, a newly introduced Section 67B attempts to address the issue of child pornography. Through this Section it has made the publication or transmission of material in any electronic form which depicts children engaged in sexually explicit act or conduct, anyone who creates, facilitates or records these acts and images punishable with imprisonment of five years and fine which may extend up to ten lakhs in first offence and seven years and fine of ten lakhs on subsequent offence.
Surveillance, Interception and Monitoring In order to combat cyber terrorism the government has further armed itself with drastic powers under Sections 69 of IT Act, 2000. Moreover, the amendment to this Section enhances its scope to include interception and monitoring. This has been a major change in the Section which also empowers government not only to monitor any traffic data but also block any site through any intermediary. Earlier the provision did not mention any fine but now any failure on part of the intermediary is punishable by seven years and also fine (Section 69(4)).