Cyber and Technology Laws

CYBER AND TECHNOLOGY LAWS
(Commentary on Information Technology Act, 2000 & Amendments of 2008)
2 Cyber and Technology Laws

All rights reserved. No part of this work may be copied, reproduced, adapted, abridged or translated, stored in any retrieval system, computer system, photographic or other system or transmitted in any form by any means whether electronic, mechanical, digital, optical, photographic or otherwise without a prior written permission of the copyright holder. Any breach will entail legal action and prosecution without further notice. While every effort has been made to avoid any mistake or omission, this publication is being sold on the condition and understanding that neither the author nor the publishers or printers would be liable in any manner to any person of by reason of any mistake or omission in this publication or for any action taken or omitted to be taken or advice rendered or accepted on the basis of this work. For any defect in printing or binding the publishers will be liable only to replace the defective copy by another copy of this work then available. All disputes will be subject to exclusive jurisdiction of courts, tribunal and forums at Delhi only.
ISBN: 978-81-905977-3-9 Copyright Vipull Vinod Published by: Krishna Publications New Delhi (India) Ph.: +91-9873171418, 9911171418 Fax: +91-11-43115444 Email: info@rsprints.com Website: http://www.rsprints.com
Cyber and Technology Laws 3
CYBER AND TECHNOLOGY LAWS

(Commentary on Information Technology Act, 2000 & Amendments of 2008)
VIPULL VINOD
Assistant Professor (Dr. Ram Manohar Lohia National Law University; Lucknow)
PrEFacE
Naturally, many readers will be very familiar with the Internet. On its face, it is nothing more than an amorphous computer network with terminals and servers randomly scattered and haphazardly interconnected across the globe. Technologically, of course, it's very interesting. Information, whether text, image, audio, video or other data type, can be accessed or transmitted from anywhere to anywhere, with the mere click of a mouse button. But that's not where the Internet's real opportunity lies, particularly not for the lawyer and law students. Suffice it to say, however, we are in the midst of a revolution and that, from this vantage point, we can only note and be part of the revolution, not quantify it. But being part of the revolution is the opportunity, for this revolution is not a single faceted event. Instead, it is touching every arena of modern society and, once touched, this society will be forever changed. For law students and lawyers, therefore, this is a marvellous time. Almost every aspect of law is being challenged and many legal frameworks are inadequate to deal with the Internet. Designing, building, implementing and modifying the necessary legal guidelines for the Internet give today's lawyers; whether in private practice, academia or in government; a profound "Cyber" opportunity. In India, the present educational system is such that a Technology student has no exposure to Law and a Law student has no exposure to Technology. Hence a Computer science student in a College is taught how to develop programs that can automatically transmit data across the Internet riding on a TCP/IP packet, without alerting him on cyber crimes such as Hacking or Virus introduction. The Law students on the other hand are taught about Trade Marks and Copyrights without recognizing their implications on the Electronic documents. As a result, neither the Technologist nor the Lawyer is trained in his formative years to understand Cyber Law. I therefore felt that there was a need for techno-legal experts to de-codify Cyber Law and make it possible for a large section of the society take up study of Cyber Law. It is envisaged that in future, Engineering, Commerce and Management Colleges will teach Cyber
Law as an extension of Computer Science, Commerce and Management Education, even while the Law Colleges try to extend their coverage of Criminal Laws and IPR laws to the Cyber world. This book addresses many of the legal issues, of course, and in so doing gives the reader an insight into these opportunities. Needless to say that, today's lawyers have an unparalleled opportunity and I encourage anyone interested in this legal space to seize this and rise to the challenge. Lastly, I should like to acknowledge my considerable debt to many people and institutions that have helped me during this book. Let me say first that they are responsible for many of the ideas in this book but that only I wish to be held responsible. My greatest debt is to my father Dr. VINOD KUMAR who taught me and inspired to research and translate that into manuscript. Mr. RAJVEER SINGH (SENIOR MANAGER, IT Dept. HAL, KANPUR) and NAMAN VINOD (INFOSYS, PUNE) taught me various concepts of Information Technology and provided unconditional support throughout this duration.
VIPULL VINOD ASSISTANT PROFESSOR DRMLNLU, LUCKNOW
ContEntS
CHAPTER I PRELIMINARY Section 1: Short Title, Extent, Commencement and Application Section 2: Definitions Whether ATM is computer CHAPTER II DIGITAL SIGNATURE AND ELECTRONIC SIGNATURE Evolution of Digital Signature Digital Signature Digital Revolution in India Electronic Signature and Digital Signature Digital Signature Certificate (DSC) Types of Digital Signatures Digital Signatures and Evidence Act Digital Signatures and Indian Penal Code Section 3: Authentication of electronic records Section 3-A: Electronic Signature Evolution of Electronic signature CHAPTER III ELECTRONIC GOVERNANCE Understanding e- Governance Scope of E-Governance E-Citizenship E-Registration E-Transportation E-Health E-Education E-Help E-Taxation E-Democracy E-Feedback E-administration E-police 19 19 19 24 38 38 39 41 42 43 43 44 45 45 48 51 53 53 53 54 54 54 55 55 55 55 55 56 56 56
E-courts E-Taxation E-Licensing E-Tendering Difference between e-governance and e-government Objectives of E-Governance To build an informed society To increase Government and Citizen Interaction To encourage citizen participation To bring transparency in the governing process To make the Government accountable To reduce the cost of Governance To reduce the reaction time of the Government National e-Governance Plan: the common future of all Common Support Infrastructure Section 4: Legal Recognition of Electronic Records Section 5: Legal recognition of [Electronic Signature Section 6: Use of Electronic Records and Electronic Signature in Government and its agencies Section 6-A: Delivery of Services by Service Provider Section 7: Retention of Electronic Records Section 7-A: Audit of Documents etc. in Electronic form Section 8: Publication of rules, regulation, etc, in Electronic Gazette Section 9: Sections 6, 7 and 8 Not to Confer Right to insist document should be accepted in electronic form Section 10: Power to Make Rules by Central Government in respect of Electronic Signature Section 10-A: Validity of contracts formed through electronic means CHAPTER IV ATTRIBUTION, ACKNOWLEDGMENT AND DISPATCH OF ELECTRONIC RECORDS Section 11: Attribution of Electronic Records Section 12: Acknowledgement of Receipt When e-commerce is binding Section 13: Time and place of dispatch and receipt of electronic record
56 56 57 57 57 58 58 58 58 58 58 58 58 59 59 61 61 62 63 64 65 66 67 68 69
71 71 72 74 75
CHAPTER V SECURE ELECTRONIC RECORDS AND SECURE ELECTRONIC SIGNATURES Section 14: Secure Electronic Records Section 15: Secure Electronic Signature Section 16: Security procedures and Practices CHAPTER VI REGULATION OF CERTIFYING AUTHORITIES Section 17: Appointment of Controller and other officers Section 18: Functions of Controller Section 19: Recognition of foreign Certifying Authorities Section 20: Controller to act as repository Section 21: License to issue electronic signature certificates Overall Management and Obligations Certificate and Key Management Systems and Operations Physical, procedural and personnel security Financial Compliance Audits Section 22: Application for license Section 23: Renewal of license Section 24: Procedure for grant or rejection of license Section 25: Suspension of License Giving a reasonable opportunity of showing cause against the proposed suspension of licence Inquiry against the actions taken by certifying authority Suspension of licence pending the completion of any inquiry ordered by him Giving a reasonable opportunity of showing cause against the proposed revocation of licence Revocation of the licence Section 26: Notice of suspension or revocation of license Section 27: Power to delegate Section 28: Power to investigate contraventions Power regarding discovery, production of evidence, etc Power regarding Search and seizure Power to requisition books of account, etc Power to call for information Power of survey
79 79 80 81 82 82 86 87 89 89 93 93 94 94 95 95 95 97 98 98 100 100 101 101 101 102 104 105 107 107 108 109 110
Power to collect certain information 110 Power to inspect registers of companies 110 Power to make an enquiry 110 Proceedings before the Controller to be judicial proceedings for limited purposes 111 Section 29: Access to computers and data 111 Section 30: Certifying Authority to follow certain procedures 113 What is repository 115 Section 31: Certifying Authority to ensure compliance of the Act, etc. 116 Section 32: Display of license 117 Section 33: Surrender of license 117 Failure to Surrender the Licence is a Punishable Offence 118 Section 34: Disclosure 118 CHAPTER VII ELECTRONIC SIGNATURE CERTIFICATES 122 Section 35: Certifying Authority to issue Electronic Signature Certificate 122 Section 36: Representations upon issuance of Digital Signature Certificate 124 Section 37: Suspension of Digital Signature Certificate 125 Certificate Revocation List (CRL) 126 Section 38: Revocation of Digital Signature Certificate 127 Section 39: Notice of suspension or revocation 130 CHAPTER VIII DUTIES OF SUBSCRIBERS 132 Section 40: Generating Key Pair 132 Section 40-A: Duties of subscriber of Electronic Signature Certificate 133 Section 41: Acceptance of Digital Signature Certificate 133 Section 42: Control of Private Key 134 CHAPTER IX PENALTIES, COMPENSATION AND ADJUDICATION 136 Section 43: Penalty and Compensation for damage to computer, computer system, etc. 136 Section 43A: Compensation for failure to protect data 142 Section 44: Penalty for failure to furnish information, return, etc. 145 Section 45: Residuary Penalty 146 Section 46: Power to Adjudicate 147
Section 47: Factors to be taken into account by the adjudicating officer Gain of unfair advantage Amount of loss caused to any person CHAPTER X THE CYBER APPELLATE TRIBUNAL Section 48: Establishment of Cyber Appellate Tribunal Section 49: Composition of Cyber Appellate Tribunal Section 50: Qualifications for appointment as Chairperson and Members of Cyber Appellate Tribunal Section 51: Term of office, conditions of service etc of Chairperson and Members Section 52: Salary, allowance and other terms and conditions of service of Chairperson and Member Section 52-A: Powers of superintendence, direction, etc. Section 52-B: Distribution of Business among Benches Section 52-C: Powers of the Chairperson to transfer cases Section 52-D: Decision by majority Section 53: Filling up of vacancies Section 54: Resignation and removal Section 55: Orders constituting Appellate Tribunal to be final and not to invalidate its proceedings Section 56: Staff of the Cyber Appellate Tribunal Section 57: Appeal to Cyber Regulations Appellate Tribunal Section 58: Procedure and Powers of the Cyber Appellate Tribunal Section 59: Right to legal representation Section 60: Limitation Section 61: Civil court not to have jurisdiction Section 62: Appeal to High court Section 63: Compounding of Contravention Section 64: Recovery of Penalty or compensation CHAPTER XI OFFENCES Who is the competent authority to try offences under Chapter XI of the I.T. Act Section 65 - Tampering with computer source documents - Cell phone unlocking amount to tempering in computer source code
150 151 152 154 155 156 158 159 160 160 161 161 162 162 163 165 165 166 169 172 173 173 175 176 177 178 178 179 180
Deletion of information in a computer can not amount to an offence under section 65 of the IT act, 2000 Tempering with automatic billing machine amounts to tempering computer source code Section 66: Computer Related Offences Section 66A: Punishment for sending offensive messages through communication service, etc. - Sending vs. Publishing Section 66-B: Punishment for dishonestly receiving stolen computer resource or communication device Section 66-C: Punishment for identity theft Section 66-D: Punishment for cheating by personation by using computer resource Section 66-E: Punishment for violation of privacy Section 66-F: Punishment for cyber terrorism Section 67: Punishment for publishing or transmitting obscene material in electronic form Watching pornography no offence: IPC and IT Act Similarity of section 67 IT act 2000 and section 292 IPC Section 67-B: Punishment for publishing or transmitting of material depicting children in sexually explicit act, etc. in electronic form Section 67-C: Preservation and Retention of information by intermediaries Section 68: Power of Controller to give directions Section 69: Powers to issue directions for interception or monitoring or decryption of any information through any computer resource Information technology Act, 2000 and Indian Telegraph Act of 1885 Section 69-A: Power to issue directions for blocking for public access of any information through any computer resource Section 69-B: Power to authorise to monitor and collect traffic data or information through any computer resource for Cyber Security Section 70: Protected system Section 70-A: National Nodal Agency Section 70-B: Indian Computer Emergency Response Team to serve as national agency for incident response
181 182 184 195 198 202 203 207 210 217 220 221 229
231 232 233
233 234
235
237 239 242 243
Section 71: Penalty for misrepresentation 247 Section 72: Penalty for breach of confidentiality and privacy 248 Section 72-A: Punishment for Disclosure of information in breach of lawful contract 250 Difference between Section 72 and Section 72A 251 Section 73: Penalty for publishing electronic Signature Certificate false in certain particulars 252 Section 74: Publication for fraudulent purpose 252 Section 75: Act to apply for offence or contraventions committed outside India 253 Section 76: Confiscation 257 Section 77: Compensation, penalties or confiscation not to interfere with other punishment 258 Section 77-A: Compounding of Offences 258 Section 77-B: Offences with three years imprisonment to be cognizable 259 Section 78: Power to investigate offences 260 CHAPTER XII INTERMEDIARIES NOT TO BE LIABLE IN CERTAIN CASES 262 Section 79: Exemption from liability of intermediary in certain cases 262 CHAPTER XII-A EXAMINER OF ELECTRONIC EVIDENCE 273 Section 79-A: Central Government to notify Examiner of Electronic Evidence 273 CHAPTER XIII MISCELLANEOUS 274 Section 80: Power of Police Officer and Other Officers to Enter, Search, etc. 274 Section 81: Act to have Overriding effect 275 Section 81-A: Application of the Act to Electronic cheque and Truncated cheque 277 Section 82: Chairperson, Members, Officers and Employees to be Public Servants 278 Section 83: Power to Give Directions 278 Section 84: Protection of Action taken in Good Faith 279 Section 84A:Modes or methods for encryption 279 Section 84-B: Punishment for abetment of offences 279 Section 84-C: Punishment for attempt to commit offences 280
Section 85: Offences by Companies Section 86: Removal of Difficulties Section 87: Power of Central Government to make rules Section 88: Constitution of Advisory Committee Section 89: Power of Controller to make Regulations Section 90: Power of State Government to make rules Section 91: Amendment of Act 45 of 1860 Section 92: Amendment of Act 1 of 1872 Section 93: Amendment of Act 18 of 1891 Section 94: Amendment of Act 2 of 1934
280 282 283 287 288 290 291 291 291 291
CASES
A. Shankar S/o. K. Achimuthu Vs. State rep. by Deputy Superintendent of Police, Cyber Crime Cell Crime Branch CID 240 Abdul Hamid and Another Vs. C.B.I 222 Abhijith R. Prasad Vs. State of Kerala Represented and The Circle Inspector of Police 223 Abhinav Gupta Vs.State of Haryana 173, 185 Aneeta Hada Vs. Godfather Travels and Tours Pvt. Ltd. 282 Avnish Bajaj Vs. State 282 Banyan Tree Holdings Limited Vs. M. Murali Krishna Reddy and Anr 253 Diebold Systems Pvt. Ltd. vs. The Commissioner of Commercial Taxes 24 Dharambir vs. CBI 28, 31 Ebay India Pvt. Ltd. Vs. State and Anr 282 Google India Pvt. Ltd.Vs. Vinay Rai and Anr 268 Jatan Thakur (Dr.) Vs.Union of India & Ors 178 JCB India Ltd. Vs. I.P . Address: 122.163.98.166 and Ors 268 K.K.Velusamy vs. N.Palanisamy 31 Koshy Vs. State of Kerala 189 Kulwinder Singh Vs. State of Punjab 213 Maqbool Fida Husain Vs. Raj Kumar Pandey 229 Meharban khan vs. UOI 275 Nirav Navinbhai Shah and 4 Ors. Vs. State of Gujarat and Anr 191 Orissa Consumers Association vs. Orissa Electricity Regulatory 31 Orissa Consumers Association vs. Orissa Electricity Regulatory Authority 67 Rajiv Dinesh Gadkari through P .A. Depamala Gadkari Vs. Smt. Nilangi Rajiv Gadkari 225 Routermania Technologies (P .) vs. ITO 26 Samdeep Varghese Vs.State of Kerala and Ors 205, 208 Sanjay Kumar KediaVs.Narcotics Control Bureau and Anr 269 Satinderjit Singh Vs. State of Punjab 206 Simon Dunolz and Others Vs.State of Uttarakhand 192 State of Tamil Nadu vs Suhas Katti 221
Sunny Dhiman Vs.State of Punjab Unistal System Pvt. Ltd. Vs. Prodata Doctor Pvt. Ltd Varpaul Singh Vs.State of Punjab Vyakti Vikas Kendra, India Public Charitable Trust Thr Trustee Mahesh Gupta & OrsVs.Jitender Bagga & Anr
212 183 182 270
STATUTES
Code of Criminal Procedure, 1973 Companies Act 1956 English Statutes of Fraud Finance Act 1994 General Clauses Act, 1897 Income Tax Act 1961 India Post Office Act 1898 Indian Evidence Act 1872 Indian Penal Code, 1860 Information Technology Amendment Act, 2008 Limited Liability Partnership Act 2008 Telegraph Act 1885 The Cyber Appellate Tribunal (Salary, Allowances and other terms and conditions of service of Chairperson and Members) Rules, 2009 The Information Technology (Electronic Service Delivery) Rules, 2011 The Information Technology (Guidelines for Cyber Cafe) Rules, 2011 The Information Technology (Intermediaries guidelines) Rules, 2011 The Information Technology (Reasonable security practices and Procedures and sensitive personal data or information) Rules, 2011 OTHER AUTHORITIES Department of Administrative Reforms and Public Grievances Department of Electronics and Information Technology https://nicca.nic.in/ Mission Mode Projects
RULES
Cyber Appellate Tribunal (Procedure) Rules, 2000 Government of India (Allocation of Business Rules) Information Technology (Certifying Authorities) Rules, 2000 Information Technology (Intermediary Guidelines) Rules, 2011 Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 Information Technology (Procedure and Safeguards for Interception, Monitoring, and Decryption of Information) Rules 2009 The Cyber Appellate Tribunal (Procedure for investigation of Misbehaviour or Incapacity of Chairperson and Members) Rules, 2009 The Information Technology (Certifying Authority) Regulations, 2001 The Information Technology (Intermediaries Guidelines) Rules, 2011 The Information Technology (Other Standards) Rules, 2003 The Information Technology (Procedure and Safeguard for Monitoring and Collecting Traffic Data or Information) Rules, 2009 The Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public), 2009 The Information Technology (Procedure and Safeguards for interception, monitoring and decryption of information) Rules, 2009 The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 The Information Technology (Security Procedure) Rules, 2004 The Information Technology (Use of electronic records and digital signatures) Rules, 2004 REGULATIONS MCA-21
ABBREVIATIONS
ILR : Indian Law Reports AIR : All India Reporter DLT : Delhi Law Times SCC : Supreme Court Cases MANU : Manupatra GLT : Gauhati Law Times Cri.L.J : Criminal Law Journal GLR : Gujrat Law Report KLJ : Kerala Law Journal BOMLR : Bombay Law Reports PTC : Patent & Trade Marks Cases
The Information Technology Act, 2000 As amended by The Information Technology (Amendment) Act, 2008
CHAPTER I
PRELIMINARY
Section 1: Short Title, Extent, Commencement and Application:(1) This Act may be called the Information Technology Act, 2000. [As Amended by Information technology (Amendment) Act 2008] (2) It shall extend to the whole of India and, save as otherwise provided in this Act, it applies also to any offence or contravention there under committed outside India by any person. (3) It shall come into force on such date as the Central Government may, by notification, appoint and different dates may be appointed for different provisions of this Act and any reference in any such provision to the commencement of this Act shall be construed as a reference to the commencement of that provision. [Act notified with effect from October 17, 2000. Amendments vide ITAA-2008 notified with effect from....] (4) (Substituted Vide ITAA-2008) Nothing in this Act shall apply to documents or transactions specified in the First Schedule: Provided that the Central Government may, by notification in the Official Gazette, amend the First Schedule by way of addition or deletion of entries thereto. (5) Every notification issued under sub-section (4) shall be laid before each House of Parliament Section 2: Definitions - (1) In this Act, unless the context otherwise requires, 2 (a) access with its grammatical variations and cognate expressions means gaining entry into, instructing or communicating with the logical, arithmetical, or memory function resources of a computer, computer
system or computer network. Access in Information Technology Act 2000 means, privilege to use computer information in some manner or the act of reading data from; or writing data to a storage device. More specifically, access often means to read data from or write data to a mass storage device.A user can access files, directories, computers, peripheral devices or other computers linked or connected with one another. For example, a user might be granted read access to a file, meaning that the user can read the file but cannot modify or delete it.Most operating systems have several different types of access privileges that can be granted or denied to specific users or groups of users. Further programs can access memory, which means they read data from or write data to main memory. Common knowledge prevails that computer works on logical and arithmetical principles and any instruction to computer will first translated into logical and arithmetical language and similarly output will be translated from logical and arithmetical language to desired information. The time it takes to locate a single byte of information on a mass-storage device is called the access time. 2 (b) addressee means a person who is intended by the originator to receive the electronic record but does not include any intermediary. Addressee in Information Technology Act 2000 is defined as the person, company, or the like to whom anelectronic record or piece of electronic record is addressed. Lets take the example of e-mail, as the electronic record. Modern email operates across the Internet or other computer networks. Thus if you send an e-mail addressing to your friend sitting next to you, it might passed through several computers and various networks before coming to your friend. As per this definition addressee is your friend but not those several computers and networks which crossed during this. Understand it as if you have posted a letter to your brother working in USA. This letter would cross several hands, e.g. postman, airport authorities etc.; but none of them is addressee but your brother. Normally an addressee will eventually be a recipient, unless there is a failure at some point (an e-mail bounces) or the message is redirected to a different addressee.
2 (c) adjudicating officer means an adjudicating officer appointed under subsection (1)of section 46; Adjudicating literally means to hear and decide (a case) or to serve as a judge in or on a dispute or problem. However the provisions of IT Act 2000, ensures the establishment of the office of Adjudicating Officer. Adjudicating Officer has all the powers of Civil Court. 2 (d) affixing digital signature with its grammatical variations and cognate expressions means adoption of any methodology or procedure by a person for the purpose of authenticating an electronic record by means of [Electronic Signature]1; As per the section 3(56) General Clauses Act, 1897, the word sign, with its grammatical variations and cognate expression, shall, with reference to a person who is unable to write his name, includemark. However this definition does not actually defines the term but only states that affixing any mark, in case of person unable to write, would amount to sign. While interpreting section 17 of English Statutes of Fraud, English court held that a party to a contract signs his name in any party of it in such a way as to acknowledgement that he is the party contracting, that is sufficient signature. It should not be misunderstood with electronic signature. Both are different and are not synonyms. It can be noticed that the term electronic signature is very wide and digital signature is only one of the many kinds of electronic signature one can envisage. The basic purpose of digital signature is not different from conventional signature. The purpose therefore is to authenticate the document, to identify the person and to make the contents of the document binding on person putting digital signature. 2 (e) appropriate government means as respects any matter, I. Enumerated in List II of the Seventh Schedule to the Constitution; II. relating to any State law enacted under List III of the Seventh Schedule to the Constitution; the State Government and in any other case, the Central Government; Generally it is observed that several statutes which defines the term appropriate government, means that if the subject matter is
related to the powers of the state government or is comes under the state list, then appropriate government will mean the state government, while if the subject matter is related to the power of central government or comes under the union list, appropriate government will mean central government. It can be further observed that this is not very strict rule and this could vary from situation to situation, case to case. However, here in this definition anything come under list II (state list) or List III (concurrent list), appropriate government will imply state government otherwise central government. 2 (f) asymmetric crypto system means a system of a secure key pair consisting of a private key for creating a digital signature and a public key to verify the digital signature; In Asymmetric cryptographic or public-key cryptography algorithmdifferent keys are used to encrypt and decrypt a single message or block of stored information. One of the keys is kept secret and referred to as a private key; the other key can be freely disclosed and is called a public key. The public key is made publicly available and is used to encrypt messages by anyone who wishes to send a message to the person that the key belongs to. The private key is kept secret and is used to decrypt received messages. Thus if some electronic document is send to me containing digital signature, here I have a choice to verify that does the sender is really the sender, who he is pretending to be by using public key. Similarly, if I want to create a contract with Mr. Gill Bates residing in USA, asymmetric crypto system gives me freedom to generate my digital signature, by using my private key and put it (upload) on document, to create a legal contract through internet. Thereafter Mr. Bates could verify my signatures by using public key. 2 (g) Certifying Authority means a person who has been granted a license to issue a [ElectronicSignature]2 Certificate under section 24; Certificate Authority(CA) is an entity that issues digital certificates. The digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others (relying parties) to rely upon signatures or assertions made by the private key that corresponds to the public key that is certified. In this model of trust relationships, a CA is a trusted third party that is trusted
by both the subject (owner) of the certificate and the party relying upon the certificate. Safescrypt, IDRBT, NIC, TCS, MTNL, (n)Code, e-Mudhra are some licensed CA. However Section 24 of this act more specifically deals with the various aspects of the certifying authority. 2 (h) certification practice statement means a statement issued by a Certifying Authority to specify the practices that the Certifying Authority employs in issuing [Electronic Signature]3 Certificates. A Certification Practice Statement (CPS) is a document from a Certificate Authority or a member of a web of trust which describes their practice for issuing and managing public key certificates. Some elements of a CPS include documenting practices ofissuance; publication; archiving; revocation; renewal. By detailing the practice of issuance, revocation and renewal, a CPS aids entities in judging the relative reliability of a given certificate authority. Think it as, you are going to get a new Airtel or Vodafone postpaid connection. Now you need to agree with the terms and policies of the company. Similarly, certificate practice statements are the internal policies of the company (here CA) about digital signature certificate. 2 (ha) Communication Device means Cell Phones, Personal Digital Assistance (Sic), or combination of both or any other device used to communicate, send or transmit any text, video, audio, or image.4 New communication systems and digital technology have made dramatic changes in the waywe live and the means to transact our daily business. Thus it was forced to include some devices such as multimedia cell phone, PDA etc. However, prior to Information Technology Amendment Act, 2008; these devices were implicitly presumed to be computer as they were qualify to be, provided by 2(i) of the old Act.Although cell phones and other devices used to communicate would fall under the definition of computer in the IT Act.This amendment removes any ambiguity and brings within the ambit of the Act all communication devices, cellphones, i-pods or other devicesused to communicate, send or transmit any text ,video ,audio or image. 2 (i) computer means any electronic magnetic,
optical or other high-speed data processing device or system which performs logical, arithmetic, and memory functions by manipulations of electronic, magnetic or optical impulses, and includes all input, output, processing, storage, computer software, or communication facilities which are connected or related to the computer in a computer system or computer network; Generally we understand computer as an electronic device for storing and processing data, typically in binary form, according to instructions given to it in a variable program. A computer is a device that accepts information, in the form of digitalized data and manipulates it for some result based on a program or sequence of instructions on how the data is to be processed. Complex computers also include the means for storing data, including the program for some necessary duration. A program may be invariable and built into the computer or different programs may be provided to the computer (loaded into its storage and then started by an administrator or user). At very initial, computer were only electronic but later at the advent of hard disk drive, floppy disk drive etc. data could be stored on magnetic material also. The latest, CD, DVD, BLUE RAY etc. started the optical era of computer. Thus this definition is very elaborate and tries to bring every possible thing in this definition. Thus your mobile phone, i-pad, i-pod, everything come under this definition of computer.
Whether ATM is computer?

Karnataka High Court in Diebold Systems Pvt. Ltd. vs. The Commissioner of Commercial Taxes,5 held that the information technology act, 2000, is an Act to provide legal recognition for transactions carried out by means of electronic data interchange and other means of electronic communication, commonly referred to as electronic commerce, which involve the use of alternatives to paper based methods of communication and storage of information to facilitate electronic filing of documents with the government agencies etc. the purpose and object of Information Technology Act, is to recognize the transaction carried out by means of electronic data interchange and other means of electronic communication. To suit the purpose and objective of the Act, the parliament has defined the expression computer by giving a very wide meaning, but at
the same time, by using the expression means immediately after the word computer, the legislature intends to make it clear that the definition is exhaustive and no other meaning can be assigned to the expression than what is included in the definition. It further said, an automatic teller machine, in our view, is an electronic device, which allows a banks customer to make cash withdrawals, and check their account balances at any time without the need of human teller, probably that most widely used means of electronic funds transfer. .ATM is not a computer by itself and it is connected to a computer that performs the task requested by the person using ATMs. The computer is connected electronically to many ATMs that may be located from some distance from computer. 2 (j) computer network means the inter-connection of one or more computers [or computer systems or communication device]6 through I. the use of satellite, microwave, terrestrial line, [wire, wireless]7 or other communication media; and II. terminals or a complex consisting of two or more interconnected computers [or communication device]8 whether or not the interconnection is continuously maintained; A computer networkis a collection of computers and network hardware interconnected by communication channels (such as satellite, microwave, and terrestrial line etc.) that allow sharing of resources and information. When a process in one device is able to exchange information with a process in another device, the two devices are said to be networked. A network is a group of devices connected to each other. This definition further says that the constant connection between the terminals (group of computers or even sometime single computer) is not necessary all the time. 2 (k) computer resource means computer, computer system, computer network, data, computer data base or software. Computer resource generally means aggregate of available computer hardware, software, documentation, supplies, support services, and sometime even trained personnel. A computer resourceis any physical or virtual component of
limited availability within a computer system. Every device connected to a computer system is a resource. Every internal system component is a resource. Virtual system resources include files, network connections and memory areas. Major resourcesare CPU, Random access memory and virtual memory, Hard disk space, Network throughput, Electrical power, External Devices, Input/output operations etc. 2 (l) computer system means a device or collection of devices, including input and output support devices and excluding calculators which are not programmable and capable of being used in conjunction with external files, which contain computer programmer, electronic instructions, input data and output data, that performs logic, arithmetic, data storage and retrieval, communication control and other functions; Section 2(i) of this act clears that the basic characteristics of computer is performance of logical, arithmetic and memory functions by manipulations of electronic, magnetic or optical impulses including all input-output processing, storage etc. However, in this definition computer system means a device or collection/arrangement of devices that is programmable and is capable of being used in conjunction with external files which contain computer program, electronic instructions, input and output data that performs logic, arithmetic, data storage and retrieval, communication control and other functions. The main Central Processing Unit (CPU) consists of a mother board having a microprocessor and some cards like were a display card and the sound card and hard disk. All these in conjunction perform the function of storing and processing data and making calculations of controlling machinery. But it excludes any device, such as calculator, which is not programmable and is not capable of being used in conjunction with external files9 containing computer programs, electronic instructions. No matter how, if in future such a calculator comes up it would find its place as computer system. Similarly in Routermania Technologies (P .) vs. ITO, income tax appellate tribunal, Mumbai held that in this Act the router is a part of computer system and not a computer network and in any case a router cannot be called to be the part of the
computer..router is not a part of computer. 2 (m) Controller means the Controller of Certifying Authorities appointed under sub-section (l) of section 17. The IT Act provides for the Controller of Certifying Authorities(CCA) to license and regulate the working of Certifying Authorities. The Certifying Authorities (CAs) issue digital signature certificates for electronic authentication of users. The Controller of Certifying Authorities (CCA) has been appointed by the Central Government under section 17 of the Act for purposes of the IT Act. The Office of the CCA came into existence on November 1, 2000. It aims at promoting the growth of E-Commerce and E- Governance through the wide use of digital signatures. 2 (n) Cyber Appellate Tribunal means the Cyber [ ]10 Appellate Tribunal established under sub-section (1) of section 48. Cyber Appellate Tribunal has been established under the Information Technology Act under the aegis of Controller of Certifying Authorities (C.C.A.). The first and the only Cyber Appellate Tribunal in the country have been established by the Central Government in accordance with the provisions contained under Section 48(1) of the Information Technology Act, 2000. The Cyber Appellate Tribunal has, for the purposes of discharging its functions under the I.T. Act, the same powers as are vested in a civil court under the Code of Civil Procedure, 1908. However, the procedure laid down by the Code of Civil Procedure, 1908 applies but at the same time the Tribunal is guided by the principles of natural justice. The Cyber Appellate Tribunal has powers to regulate its own procedure including the place at which it has its sittings. Every proceeding before the Cyber Appellate Tribunal shall be deemed to be a judicial proceeding within the meaning of sections 193 and 228, and for the purposes of section 196 of the Indian Penal Code and the Cyber Appellate Tribunal shall be deemed to be a civil court for the purposes of section 195 and Chapter XXVI of the Code of Criminal Procedure, 1973. 2 (na) cyber cafe means any facility from where access to the internet is offered by any person in the ordinary course of business to the members of the public;11
Alternatively referred to as an Internet cafe, PC bangs, or Net cafe, a cybercaf is a place where computer users can use a computer, either their own or one provided by the cybercafe, to access the Internet, play games, create documents and spreadsheets, chat with friends and family using voice and video, as well as a number of other computer-related tasks. Typically, the computer and Internet access is provided for an hourly or daily fee. 2 (nb) cyber security means protecting information, equipment, devices computer, computer resource, communication device and information stroed therein from unauthorised access, use, disclosure, disruption, modification or destruction;12 Cybersecurity is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access. In a computing context, the term security implies cybersecurity. Nevertheless, here in this definition cyber security refers to the protection of information or the protection of equipment, or protection of computer and computer resources, or the protection of communication devices. Further, this protection must be from unauthorized access or unauthorized use, unauthorized disclosure, unauthorized disruption, unauthorized modification or unauthorized destruction. 2 (o) data means a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalised manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer. Information in raw or unorganized form, such as alphabets, numbers, or symbols; that refer to, or represent, conditions, ideas, or objects is known as data. Data is limitless and present everywhere in the universe. In cyber sense data implies Symbols or signals that are input, stored, and processed by a computer, for output as usable information. Delhi High Court in Dharambir vs. CBI,13 held that.data
includes not only active memory of computer/hard disc but even in subcutaneous memory. 2 (p) digital signature means authentication of any electronic record by a subscriber by means of an electronic method or procedure in accordance with the provisions of section 3. A Digital Signature is a method of verifying the authenticity of an electronic document. The Information Technology Act, 2000 provides the required legal sanctity to the digital signatures based on asymmetric cryptosystems. The digital signatures are now accepted at par with handwritten signatures and the electronic documents that have been digitally signed are treated at par with paper documents. For messages sent through a channel, a good implementation of digital signature algorithm is the one that makes the receiver believe that the message was sent by the claimed sender, and trust the message. Digital signatures can also provide acknowledgement, meaning that the signer cannot successfully claim they did not sign a message, while also claiming their private key remains secret; Digital signatures are often used to implement electronic signatures [section 2(ta)], a broader term that refers to any electronic data that holds a meaning of a signature, but not all electronic signatures use digital signatures. In some countries, including the United States, and in the European Union, electronic signatures may have legal significance. Digital signatures are going to play an important role in our lives with the gradual electronization of records and documents. The IT Act has given legal recognition to digital signature meaning, thereby, that legally it has the same value as handwritten or signed signatures affixed to a document for its verification. 2 (q) Digital Signature Certificate means a Digital Signature Certificate issued under subsection (4) of section 35. Digital certificates are the digital equivalent (i.e. electronic format) of physical or paper certificates. Examples of physical certificates are driver s licenses, passports or membership cards. Certificates serve as identity of an individual for a certain purpose, e.g. a driver s license identifies someone who can legally drive in a particular country. Likewise, a digital certificate can be presented electronically to prove your identity or your right to access
information or services on the Internet. Digital Certificates can be categorized into Server certificates and Personal certificates. The differences lie in the information they contain and who they identify. What are personal certificates? Personal certificates serve to identify a person. It follows that the contents of this type of certificate include the full name and personal particulars of an individual. Among other uses of personal certificates some are: Secure e-mail correspondence, and Enhanced access control to sensitive or valuable information. Server certificates identify a server (computer). Hence, instead of a name of a person, server certificates contain the host name e.g. https://nicca.nic.in/ . Server certificates are used to ensure that on-line transactions are secure. 2 (r) electronic form with reference to information means any information generated, sent, received or stored in media, magnetic, optical, computer memory, micro film, computer generated micro fiche or similar device; An e-form (electronic form) is a computer program version of a paper form. Aside from eliminating the cost of printing, storing, and distributing pre-printed forms, and the wastage of obsolete forms, e-forms can be filled out faster because the programming associated with them can automatically format, calculate, look up, and validate information for the user. With digital signatures and routing via e-mail, approval cycle times can be significantly reduced. With electronic submission of completed forms, you can eliminate the cost of rekeying data and the associated errors. 2 (s) Electronic Gazette means the Official Gazette published in the electronic form. The Gazette of India is a public journal of the Government of India, published weekly by the Department of Publication.As a public journal, the Gazette prints official notices from the government. The gazette is printed by the Government of India Press. The Publication Programme is executed as per the Government of India (Allocation of Business Rules) issued from time to time by the Cabinet Secretariat of the Republic of India. The Department of Publication is headed by the Controller of Publications with the assistance of one Assistant Controller, one Financial Officer and an Assistant Director. The gazette employs more than 270 people under the supervision of the Ministry of Urban
Development, headquartered in NirmanBhawan, New Delhi. However, any such gazette if published in electronic form will called as e-gazette. Orissa High Court in Orissa Consumers Association vs. Orissa Electricity Regulatory Authority,14 provisions in the Information Technology Act, 2000 inter alia provide that if a notification is published in the Electronic Gazette, the notification is deemed to have been published in the official Gazette. The proviso to section 8 of the Act also makes it clear that where the notification is published both in the official gazette and the electronic gazette, the date of publication shall be deemed to be the date of gazette which was first published in any form. 2 (t) electronic record means data, record or data generated, image or sound stored, received or sent in an electronic form or micro film or computer generated micro fiche. Electronic record commonly means, information captured through electronic means, and which may or may not have a paper record to back it up, also called machine readable record. Electronic Records consisting of data and information which is input, created, manipulated and/or stored on electronic media which show evidence of actions and decisions occurring during transactions of events. Delhi High Court in Dharambir vs. CBI,15 held that, blank hard disc written upon is subject to change and becomes electronic record. Erased hard disc made blank still retains information which can be retrieved therefore is electronic record. Supreme Court in K.K.Velusamy vs. N.Palanisamy16 held .the definition of electronic record in section 2(1)(t) of the information technology act, 2000, includes a compact disc containing an aelectronic record of conversation. 2 (ta) electronic signature means authentication of any electronic record by a subscriber by means of the electronic technique specified in the Second Schedule and includes digital signature.17 An electronic signature, or e-signature, is any electronic means that indicates either that a person adopts the contents of an electronic message, or more broadly that the person who claims to have written a message is the one who wrote it and that the message received is the one that was sent. By comparison, a signature is a
stylized script associated with a person. In commerce and the law, a signature on a document is an indication that the person adopts the intentions recorded in the document. Electronic signatures produce what digital signature technology stops short of. It actually displays animage of your handwritten signature or a visual mark within the document to illustrate your consent towards a documents contents and uniquely identify you as a signer. An electronic signature can be as basic as a typed name or a digitized image of a handwritten signature. Consequently, e-signatures are very problematic with regards to maintaining integrity and security, as nothing prevents one individual from typing another individuals name. Due to this reality, an electronic signature that does not incorporate additional measures of security is considered an insecure way of signing documentation. Increasingly, encrypted digital signatures are used in e-commerce and in regulatory filings as digital signatures are more secure than a simple generic electronic signature. The concept itself is not new, with common law jurisdictions having recognized telegraph signatures as far back as the mid-19th century and faxed signatures since the 1980s. It would be highly advisable to wait to see for some judicial authority to decide retina scan or finger print scan to decide as electronic signature. 2 (tb) Electronic Signature Certificate means an Electronic Signature Certificate issued under section 35 and includes Digital Signature Certificate.18 While you apply for the electronic signature certificate, under section 35 you get a certificate such as your driving license, PAN card or passport, or more precisely a software license agreement which you get while purchasing new software. Electronic Certificates serve as an identity of an individual for a certain purpose, e.g. a driving license identifies someone who can legally drive in a particular country. Likewise, a Digital Certificate can be presented electronically to prove your identity or your right to access information or services on the Internet. Digital Certificates are the digital equivalents (i.e. electronic format) of physical or paper Certificates like your driving license, passport or membership cards.
2 (u) function, in relation to a computer, includes logic, control arithmetical process, deletion, storage and retrieval and communication or telecommunication from or within a computer. Function could be understand as a set of instructions that performs a specific task for a main routine, requiring direction back to the proper place in the main routine on completion of the task; or a section of a computer program that is stored only once but can be used when required at several different points in the program. 2 (ua) Indian Computer Emergency Response Team means an agency established under sub-section (1) of section 70B.19 CERT-In (the Indian Computer Emergency Response Team) is a government-mandated information technology (IT) security organization. The purpose of CERT-In is to respond to computer security incidents, report on vulnerabilities and promote effective IT security practices throughout the country. CERT-In was created by the Indian Department of Information Technology in 2004 and operates under the auspices of that department. According to the provisions of the Information Technology Amendment Act 2008, CERT-In is responsible for overseeing administration of the Act. 2 (v) information includes [data, massage, text]20, images, sound, voice, codes, computer programmes software and databases or micro film or computer generated micro fiche. Information is the summarization of data. Technically, data are raw facts and figures that are processed into information, such as summaries and totals. But since information can also be the raw data for the next job or person, the two terms cannot be precisely defined, and both are used interchangeably. It may be helpful to view information the way it is structured and used, namely: data, text, spreadsheets, pictures, voice and video. Data are discretely defined fields. Text is a collection of words. Spreadsheets are data in matrix (row and column) form. Pictures are lists of vectors or frames of bits. Voice is a continuous stream of sound waves. Video is a sequence of image frames. 2 (w) intermediary, with respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record
or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, webhosting service providers, search engines, online payment sites, onlineauction sites, online-market places and cyber cafes.21 In general, an intermediary is a person or service that is involved as a third party between two or more end points in a communication or transaction. For example, a real estate broker arranges for buyer and seller to complete a real estate transaction. Here in terms of e-mail, when you send your mail to your friend, using your Gmail account, sent mail first will go to Google Company and then it will forward it to your friend. Thus Google/ Gmail is an intermediary. The second part of the definition, after the amendment of 2008, specifically includes telecom,network, internet and web hosting service providers, search engines, onlinepayment and auction sites, online market places and cyber cafes in the definition of intermediaries. The insertion definition of intermediary clarifies the categories of service providers that comewithin its definition that includes telecom service providers, network serviceproviders,internet service provider,webhosting service providers,search engines,onlinepayment sites,online auction sites,online market places and cyber cafes. 2 (x) key pair, in an asymmetric crypto system, means a private key and its mathematically related public key, which are so related that the public key can verify a digital signature created by the private key. The Public and Private key pair comprise of two uniquely related cryptographic keys (basically long random numbers). Below is an example of a Public Key: 3048 0241 00C9 18FA CF8D EB2D EFD5 FD37 89B9 E069 EA97 FC20 5E35 F577 EE31 C4FB C6E4 4811 7D86 BC8F BAFA 362F 922B F01B 2F40 C744 2654 C0DD 2881 D673 CA2B 4003 C266 E2CD CB02 0301 0001 The Public Key is what its name suggests - Public. It is made available to everyone via a publicly accessible repository or directory. On the other hand, the Private Key must remain confidential to its respective owner.Section 2(f), IT Act 2000 is highly advisable to refer. 2 (y) law includes any Act of Parliament or of a State
Legislature, Ordinances promulgated by the President or a Governor, as the case may be. Regulations made by the President under article 240, Bills enacted as Presidents Act under sub-clause (a) of clause (1) of article 357 of the Constitution and includes rules, regulations, byelaws and orders issued or made thereunder. 2 (z) licence means a licence granted to a Certifying Authority under section 24. The permission granted by competent authority to exercise a certain privilege that, without such authorization, would constitute an illegal act, a Trespass or a tort. The certificate or the document itself that confers permission to engage in otherwise proscribed conduct. In particular, a license may be issued by authorities, to allow an activity that would otherwise be forbidden. It may require paying a fee and/or proving a capability. The requirement may also serve to keep the authorities informed on a type of activity, and to give them the opportunity to set conditions and limitations. 2 (za) originator means a person who sends, generates, stores or transmits any electronic message or causes any electronic message to be sent, generated, stored or transmitted to any other person but does not include an intermediary. An Internet email message consists of three components, the message envelope, the message header, and the message body. The message header contains control information, including, minimally, an originators email address and one or more recipient addresses. Usually descriptive information is also added, such as a subject header field and a message submission date/time stamp. In simple terms originator is the person who writes/ generates an e-mail and sends it to recipient. 2 (zb) prescribed means prescribed by rules made under this Act. 2 (zc) private key means the key of a key pair used to create a digital signature. 2 (zd) public key means the key of a key pair used to verify a digital signatureand listed in the Digital Signature Certificate. The above two definition should be read with section 2(f) and 2(x), IT Act 2000.
2 (ze) secure system means computer hardware, software, and procedure that a. are reasonably secure from unauthorised access and misuse; b. provide a reasonable level of reliability and correct operation; c. are reasonably suited to performing the intended functions; and d. adhere to generally accepted security procedures; Far away from its technical definition this section defines secure system in its vary legal sense. As per this definition a secure system, including any king of computer hardware, software or procedure should reasonably be secured from unauthorized access, and there should be assurance of reasonable reliability and correct operation. Further assurance towards the performance of intended function along with established security procedures. Thus if your computer system is infected with virus or malware or other such unwanted programs, it could not be said a secure system. (zf) security procedure means the security procedure prescribed under section 16 by the Central Government; (zg) subscriber means a person in whose name the [Electronic Signature]22 Certificate is issued; (zh) verify in relation to a digital signature, electronic record or public key, with its grammatical variations and cognate expressions means to determine whether (a) the initial electronic record was affixed with the digital signature by the use of private key corresponding to the public key of the subscriber; (b) the initial electronic record is retained intact or has been altered since such electronic record was so affixed with the digital signature. (2) Any reference in this Act to any enactment or any provision thereof shall, inrelation to an area in which such enactment or such provision is not in force, be construedas a reference to the corresponding law or the relevant provision of the corresponding law,if any,
in force in that area. References

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. Substituted with Digital Signature by Information Technology Amendment Act, 2008 Substituted with Digital Signature by Information Technology Amendment Act, 2008 ibid Inserted by ITAA 2008 ILR 2005 KAR 2210; (2005) 2 AIR Kant R 935 Inserted by ITAA 2008 ibid ibid Unlike calculator, computer is programmable and it also works in conjunction with external files. Word Regulations omitted by ITAA, 2008 Inserted by ITAA, 2008 ibid (2008) 148 DLT 289; ILR(2008) 2 Del 842 AIR 2005 Ori 11 (2008) 148 DLT 289; ILR(2008) 2 Del 842 (2011) 11 Supreme Court Cases 275 Inserted by ITAA, 2008 Inserted by ITAA, 2008 Inserted by ITAA, 2008 Substituted with data, text, by ITAA, 2008 Substituted with old definition of intermediary; 2 (w) intermediary with respect to any particular electronic message means any person who on behalf of another person receives, stores or transmits that message or provides any service with respect to that message; Substituted with Digital Signature by Information Technology Amendment Act, 2008
22.
CHAPTER II
DIGITAL SIGNATURE AND ELECTRONIC SIGNATURE

Conventional signatures are marks made by persons to authenticate a document, and assure the receiver that he has signed it personally. But in case of emails, merely typing out ones name at the end of a document is hardly any reassurance for the receiver. In this age where crooks are adequately equipped to hack into systems, and acquire any data they wish to, the Internet is not a safe medium for secure communication. Hence the concept of Digital Signatures has come up. Chapter 2 initially dealt with the digital signature, but lately after the amendment of 2008 electronic signature was inserted. So, the confusion between them was finally vanished after almost a decade. Digital signatures are often used to implement electronic signatures, a broader term that refers to any electronic data that carries the intent of a signature, but not all electronic signatures use digital signatures.In some countries, including India, electronic signatures have legal significance. Evolution of Digital Signature In 1976, Whitfield Diffie and Martin Hellman came to describe the idea of a digital signature scheme for the first time. Later, the RSA algorithm was invented by Ronald Rivest, Adi Shamir and Len Adleman. These could be utilized to produce primitive digital signatures only in cases of proof-of-concept as plain RSA signatures are not secure. Thereafter, such other digital schemes were evolved after the said RSA, namely the Lamport signatures, merkle signatures (named after merkle trees or simply hash trees) and Rabin
signatures. In 1988, ShafiGoldwasser, Silvio Micali and Ronald Rivest came to suggest a few security requirements of such digital signature schemes. They also proposed to apply a hierarchy of attack models for signature schemes and also a GMR signature scheme which can be proved in the first instance for the prevention of a subsisting forgery against a selected message attack. The signature schemes invented at the early phase were mostly the same, the common thing being the use of a trapdoor permutation such as the RSA function etc. So, it seems lots of technology and computer science is involved in the evolution of digital signature. This act highly appreciates your techno-legal sense of understanding. Those who are not technology abled need not to push it hard as the basic understanding of internet, e.g. Facebook, Google, g-mail, or twitter etc., is sufficient to get this right. However, the word SIGN is defined under Section 3(56) of the General Clauses Act 1897 as follows. Sign with its grammatical variations and cognate expressions, shall, with reference to a person who is unable to write his name, include mark, with its grammatical variation and cognate expressions. Thus the General Clauses Act 1897 did not actually define the term but only states that it would include even a mark in the case of persons unable to write their names. In the Websters dictionary; the word sign means to write ones name on, as in acknowledging authorship, authorising action etc. The word SIGNATURE is therefore to be construed according to the meaning of the word SIGN as discussed. A signature is the writing or otherwise affixing a persons name or a mark to represent his name by himself or his authority with the intention of authenticating a document as being that of, or as binding on, the person whose name or mark is so written or affixed.. Putting initials is also good and equally valid as that of a signature. It may also be noted that signature includes impression with rubber stamp also. Digital Signature The advent of information technology revolutionised the whole world and fortunately India led a leading role and captured global attention. India passed Information technology Act 2000 (The Act)
which came into force on 17-10-2000. The Act applies to the whole of India and even to persons who commit offence outside India. The Act validates DIGITAL SIGNATURE and provides for enabling a person to use it just like the traditional signature. The basic purpose of digital signature is not different from our conventional signature. The purpose therefore is to authenticate the document, to identify the person and to make the contents of the document binding on person putting digital signature. A digital signature or digital signature schemeis a mathematical scheme for demonstrating the authenticity of a digital message or document. A valid digital signature gives a recipient reason to believe that the message was created by a known sender, and that it was not altered in transit. Digital signatures are based on public key encryption. A digital signature has many advantages. Firstly, it is portable.A person does not have to go to the places personally and then sign a piece of document. It is easy to just sit in some other part of the world sign a particular contract and send it through e-mail. Secondly, it cannot be copied. Due to its immense security software provided by the certifying authority, it becomes impossible to copy the electronic signature. Thirdly, digital signature is prompt; it mainly comes handy when matter is urgent. Through courier no matter how much time it takes the document could be signed through digital signature and sent within few seconds. With the passage of the IT (Amendment) Act,2008 India has become technologically neutral due to adoption of electronic signatures as a legally valid mode of executing signatures. This includes digital signatures as one of the modes of signatures and is far broader in ambit covering biometrics and other new forms of creating electronic signatures. This is a positive change as India has different segments people and all may not be technologically adept to understand and use the digital signatures. Therefore, allowing forms of authentication that are simpler to use such as retina scanning can be quite useful ineffective implementation of the Act. However, the challenge it poses is accessibility to authentication tools and imparting education to people to use the same. The functioning of Digital Signature is based on the system of public key cryptography. Public-key cryptography refers to acrypto-
graphic system requiring two separate keys, one of which is secret and one of which is public. Although different, the two parts of the key pair are mathematically linked. One key locks or encrypts the plain text, and the other unlocks or decrypts the cipher text. Neither key can perform both functions. One of these keys is published or public, while the other is kept private. Key encryption allows more than just privacy. It can also assure the recipient of the authenticity of a document because a private key can be used to encode a message that only a public key can decode. If I have information I want to sign before sending it to you, my computer uses my private key to encipher it. Now the message can be read only if my public key-which you and everyone else know-is used to decipher it. This message is veritably from me because no one else has the private key that could have encrypted it in this way. Digital Revolution in India In India, MCA-21programme launched by the Ministry of Corporate Affairs (MCA) really revolutionised the use of digital signature by making E-filing mandatory for most of the documents required to be filed under the Companies Act 1956 and under the Limited Liability Partnership Act 2008 (LLP Act). Ministry of Company Affairshas initiated MCA21 program, for easy and secure access to its services in a manner that best suits the businesses and citizens. MCA21 is envisioned to provide anytime and anywhere services to businesses. It is a pioneering program being the first mission mode e-governance project being undertaken in the country. This program builds on the vision to introduce a Service Oriented Approach in the design and delivery of Government services, establish a healthy business ecosystem and make the country globally competitive. The MCA21 application is designed to support Class 2 & 3 Digital Signature Certificates issued by licensed Certifying Authority under Controller of Certifying Authorities. The Income tax department followed suit and provided compulsory filing of returns in the electronic mode except a few under the Income Tax Act 1961. The Central Excise Act and Finance Act 1994 (dealing with service tax) also provides schemes for E-filing. Now the application for registration under Foreign Contribution Regulations Act provides that it shall be filed electronically. The
application for IEC code is to be filed electronically with DGFT (Director General of Foreign Trade). Thus discussion indicates the extent of electronic revolution that has taken place in India and thus the importance and relevance of digital signature. Time is not far away when we may even forget our own hand signature due to non-usage. Electronic Signature and Digital Signature Countries around the world establish the legal standing of e-signatures. Documents signed with compliant e-signature software have the same legal validity as traditional pen-and-paper contracts. Think of electronic signature as instead of pen and paper you are using a device which by using some kind of software, sends your signature to the computer unit, simultaneously when you are singing it. Thus it appears that signing on computer directly. Yes, though many people quite often use it interchangeably with digital signature, But on a closer analysis it can be noticed that the term electronic signature is very wide and digital signature is only one of the many kinds of electronic signatures one can envisage. The term electronic signature is defined under section 2(ta) of the IT Act 2000 (as inserted by Information Technology Amendment Act 2008 (ITAA) as follows: Electronic signature means authentication of any electronic record by a subscriber by means of the electronic technique specified in the second schedule and includes digital signature. The expression Digital signature is defined under section 2(p) as follows: Digital Signature means authentication of any electronic record by asubscriber by means of an electronic method or procedure in accordance withthe provisions of section 3; Therefore electronic signature is a wider term and digital signature is one kind of an electronic signature under the IT Act 2000. Thus, If you simply write your name and say I sign that will be sufficient to constitute electronic signature but obviously it is not at all safe or secure. The person can always say that some other person typed his name in the document without his consent or knowledge. Here, the digital signature plays an important role as the same is secure and the person cannot be allowed to deny that he did not sign unless he prove with clear evidence that it was put without his consent or knowledge
Digital Signature Certificate (DSC) Digital Certificates serve as an identity of an individual for a certain purpose, e.g. a driving license identifies someone who can legally drive in a particular country. Likewise, a Digital Certificate can be presented electronically to prove your identity or your right to access information or services on the Internet. Digital Certificates are the digital equivalents (i.e. electronic format) of physical or paper Certificates like your driving license, passport or membership cards. Section 2(q) of the Act defines the Digital Signature Certificate to mean a Digital Signature Certificate issued under sub-section (4) of section 35 and does not explain its meaning. DSC is issued by the authorities known as Certifying Authorities. Section 35 deals with the procedure for issue of electronic/digital signature by the Certifying Authorities. Section 35(4) provides that on receipt of an application under sub-section (1), the Certifying Authority may, after consideration of the certification practice statement or the other statement under sub-section (3) and after making such enquiries as it may deem fit, grant the Digital Signature Certificate or for reasons to be recorded in writing, reject the application. Provided no application shall be rejected unless the applicant has been given a reasonable opportunity of showing cause against the proposed rejection. Thus the IT Act 2000 as such do not contain the exact meaning of the term Digital Signature Certificate but only describes that such a certificate is one which is issued by the CA after following the prescribed procedure. But I have already explained the meaning of the same in the above paragraph.
Types of Digital Signatures

There are three types of digital signatures based on security levels like Class-1, Class-2 and Class-3 certificates. Class 1 certificates do not carry any legal recognition since its validation is based only on the basis of a valid e-mail and is not based on direct verification. Class-2 certificates the identity of the person is verified on the basis of a trusted pre-verified database. Class-3 represents the top level where a person is required to be present in front of a Registration Authority to prove his/her identity. MCA21 insists on Class-2 certificate for filing documents under
the Companies Act and Limited Liability Partnership Act. The other authorities also recognise Digital Signature Certificate in the class-2 category and not class-1. The Digital Signature is required under the Companies Act and LLP Act by auditors, directors, company secretaries, bankers, for filing registration and satisfaction of charges etc.; for the purpose of filing various returns and documents. Digital Signatures and Evidence Act The Indian Evidence Act 1872 is a piece of legislation dealing with evidences that can be produced or admitted in a court of law by the litigating parties. The law which was enacted in 1872 naturally did not envisage electronic signatures and records as evidences. Hence in view of the widespread use of electronic records and Electronic signatures including Digital Signature it was felt necessary to amend the said Act to make it in conformity with the changing trends in the society. Section 3 of the Evidence Act 1872 provides for interpretation or definition of certain words or expressions used in the Act. The said section was amended to include electronic records also in the definition of the term evidence. Further section 47A has been inserted to provide that when the Court has to form an opinion as to the electronic signature of any person, the opinion of the Certifying Authority which has issued the electronic Signature Certificate is a relevant fact. Section 67A has been inserted which protects the secure electronic Signature. It provides that if the electronic signature of any subscriber is alleged to have been affixed to an electronic record the fact that such electronic signature is the electronic signature of the subscriber must be proved except when the same is a secure electronic signature. Section 73A has been newly inserted to provide that the court may direct the concerned person or Certifying Authorities to ascertain whether Digital Signature is that of the person by whom it is purported to have been affixed. It may also direct any other person to apply the public key listed in the electronic Signature Certificate and verify the electronic signature purported to have been affixed by that person. Section 85B(1) provides that In any proceedings involving a secure electronic record, the Court shall presume unless contrary is proved, that the secure electronic record has not been altered since
the specific point of time to which the secure status relates. Section 85B (2) provides that unless the contrary is proved the court shall presume that the secure electronic signature is affixed by subscriber with the intention of signing or approving the electronic record. It further provides that there shall be no presumption relating to authenticity and integrity of the electronic record or any electronic signature if the same is not secure. Section 85C deals with situations where the Court shall presume, unless contrary is proved, that the information listed in a Electronic Signature Certificate is correct, except for information specified as subscriber information which has not been verified, if the certificate was accepted by the subscriber. Digital Signatures and Indian Penal Code A need was felt for addition of certain provisions to take care of the new developments in the field of electronics and information technology. Thus through the Information Technology Amendment Act 2008, IPC was also amended. Section 73A has been inserted to provide the same provision as in section 47A of the Indian evidence Act discussed above in this article. Section 464 has also been amended to provide that the said section shall be made applicable to electronic records and electronic signatures also. Section 464 deals with situations when a person is said to make false document or electronic record. Section 466 provides for forging of electronic records also. There are amendments to sections 4, 40,118,119 also which are not dealt with in this article for want of space. Section 3: Authentication of electronic records: (1) Subject to the provisions of this section any subscriber may authenticate an electronic record by affixing his digital signature. (2) The authentication of the electronic record shall be effected by the use of asymmetric crypto system and hash function which envelop and transform the initial electronic record into another electronic record. Explanation For the purposes of this sub-section, hash function means an algorithm mapping or translation of one sequence of bits into another, generally smaller,set known as hash result such that an electronic record yields the same hash result every time the
algorithm is executed with the same electronic record as its input making it computationally infeasible a. to derive or reconstruct the original electronic record from the hash result produced by the algorithm; b. that two electronic records can produce the same hash result using the algorithm. (3) Any person by the use of a public key of the subscriber can verify the electronic record. (4) The private key and the public key are unique to the subscriber and constitute a functioning key pair. The Information Technology Act, 2000 (the IT Act) was passed interalia to provide for electronic governance. Section 3 of the Act provides for authentication of electronic records. It says that any electronic record can be authenticated by a person by affixing his digital signature. This section also provides for the minimum technology required of the digital signature. The electronic record would be converted in to a message digest, by using hash function which is intended to ensure the integrity of the communication of the electronic record. The identity of the person affixing the digital signature is authenticated by means of a private key public key pair which is unique to him. Under the Information Technology (Certifying Authority) Rules, 2000 have been framed. Rule 3 further elaborates on the manner in which information can be authenticated by means of digital signature. It says that the digital signature shall use public key cryptography/asymmetric crypto system employing two different but mathematically related keys, one for creating the signature and another for verifying it. It further says that the electronic record has to be transformed into seemingly unintelligible forms and back again and that the process termed as hash function shall be used for the purpose. Various other details such as the digital signature certificate standards are also specified. Section 21 provides for licensing of Certifying Authorities who will be eligible to issue Digital Signature Certificates.Here, bigger challenge for the technology disabled people is technical riddles as asymmetric crypto systemand hash function. Asymmetric cryptography or public-key cryptography
is cryptography in which a pair of keys is used to encrypt and decrypt a message so that it arrives securely. Initially, a network user receives a public and private key pair from a certificate authority. Any other user who wants to send an encrypted message can get the intended recipients public key from a public directory. They use this key to encrypt the message, and they send it to the recipient. When the recipient gets the message, they decrypt it with their private key, which no one else should have access to. Say for example, Naman has been given two keys. One of Namans keys is called a Public Key and the other is called a Private Key.Namans Public key is available to anyone who needs it, but he keeps his Private Key to himself. This ensures the safely landing of massage to the one whom it is directed. If any how this data gets stolen, it cant be read in absence of private key of Naman. Keys are used to encrypt information. Encrypting information means scrambling it up, so that only a person with the appropriate key can make it readable again. Eitherof two keys can encrypt data and the other can decrypt that data. Sumit can encrypt a message using Namans Public Key. Naman uses his Private Key to decrypt the message. As discussed above, Any of Namans coworkers might have access to the message Sumit encrypted, but without Namans Private Key, the data is worthless. Further, Hashing converts a piece of data, into a relatively short piece of data such as a string. After conversion the data received is called hash result. This is accomplished by using a one-way hash function. One-way means that it is very difficult (or practically impossible) to reverse it. Two different data could possibly be converted into same has result. Thus, Indian Legal and Constitutional History and Katrina Kaif could possibly be hash valued as C4HD NJ6K ALI9 2K4J F78J 22KG HK90 Now, with his private key and the right software, Naman can put digital signatures on documents and other data. A digital signature is a stamp Namanplaces on the data which is unique to Naman, and is very difficult to forge. In addition, the signature assures that any changes made to the data that has been signed can not go undetected. To sign a document, Namans software will crunch down the data into just a few lines by a process called hashing. These few
lines are called a message digest. It is not possible to change a message digest back into the original data from which it was created. [Explanation 2(a)] Namans software then encrypts the message digest with his private key. The result is some data along with digital signature. Finally, Namans software appends the digital signature to document. All of the data that was hashed has been signed.Naman now passes the document on to Varnika. First, Varnikas software decrypts the signature (using Namans public key) changing it back into a message digest. If this worked, then it proves that Naman has signed the document, because only Namanhas his private key, which could only generate massage that can only be decrypted his public key.Varnikas software then hashes the document data into a message digest. Section 3-A: Electronic Signature: (1) Notwithstanding anything contained in section 3, but subject to the provisions of sub-section(2), a subscriber nay authenticate any electronic record by such electronic signature or electronic authentication technique which a. Is considered reliable; and b. May be specified in the Second Schedule (2) For the purposes of this section any electronic signature or electronic authentication technique shall be considered reliable ifa. the signature creation data or the authentication data are, within the context in which they are used, linked to the signatory or, as the case may be, the authenticator and of no other person; b. The signature creation data or the authentication data were, at the time of signing, under the control of the signatory or, as the case may be, the authenticator and of no other person; c. Any alteration to the electronic signature made after affixing such signature is detectable; d. Any alteration to the information made after its authentication by electronic signature is detectable; and e. It fulfills such other conditions which may be prescribed.
(3) The Central Government may prescribe the procedure for the purpose of ascertaining whether electronic signature is that of the person by whom it is purported to have been affixed or authenticated. (4) The Central Government may, by notification in the Official Gazette, add to or omit any electronic signature or electronic authentication technique and the procedure for affixing such signature from the second schedule; Provided that no electronic signature or authentication technique shall be specified in the Second Schedule unless such signature or technique is reliable. (5) Every notification issued under sub-section (4) shall be laid before each House of Parliament. The advent of ITAA, 2008 marked the electronic signature in India. As per section 3A (1) of the act, a choice is given between the use of either digital signature or electronic signature for authentication of the electronic document. However, if electronic signature is chosen to authenticate documents then the authentication technique must be reliable and this technology must be given in the second schedule of the act. At present no system of electronic signature has been defined in the second schedule and hence there is no change in the authentication mechanism under the Act. The present system of Digital Signatures will therefore continue for the time being and will be the only method of authentication of an electronic document. As per the requirement of section 3A (2), a technique would deem reliable if: (a) the data which collectively generates the signatures or the data which authenticates this data is linked or possessed or always with the signatory or the person who authenticates this data. Thus, say for example, these days the property registration requires your finger on the fingerprint scanner along with your face. Here, your finger print is linked with only you but no one else. (b) The second requirement is that at the time of singing the data required for generating the signature is with the signatory or in case of authentication with the authenticator, as the case may be. Thus, with respect to Indian Evidence Act, it will always presume that at the time of signing/authentication the data was with the signatory/authenticator. As it is presumed that data such as finger print, iris, DNA, hair, skin fossils etc. is with you all the time
and with no one else. These two criteria correspond to the use of Private key in the encryption of the hash value in the current system of digital signature. Thus, in case of any forgery, burden of proof is on the signatory to prove that the data was parted away with him.Reliability as per section 3A (2) (c) and (d), will also be seen as the capability of detecting any alteration made after its signing/authentication. This criterion corresponds the functionality of the hash Algorithm used in the digital signature system.Obviously the system should meet the minimum criteria of effectively establishing the authentication of a document to the person who authenticates it and also should ensure that if the document has been changed since it was signed, such alteration becomes noticeable.Say for example, in case of MS office documents are capable to detect the last modification made. Thus any modification made after signing it can be detected easily. It is clear from the above that for any authentication system to be considered as Electronic Signature, it must have the two properties represented by the hashing and asymmetric crypto system. There must be a mechanism to identify any change of data after the signature is affixed and some data exclusively under the control of the signer should be part of the signature. At present there does not seem to be any known technology of this type anywhere in the world other than the PKI based digital signature system. Hence the possibility of any other system being considered as Electronic Signature in replacement of digital signature is remote. Notwithstanding section 3A (4), As per section 3A (2) (e), if in near future it felt that certain technology could provide at par reliability then electronic signature must be in consonance with that technology. Section 3A (3) gives power to central government to establish the procedure to authenticate the electronic signature, possibly similar to digital signature certificate. If we go by the reliability of the Hash algorithms and the asymmetric cryptosystems used for the current digital signature system which are reviewed worldwide by mathematicians on a regular basis, any alternative system should also meet similar stringent standards, as in case of electronic signatures.
Additionally, the system has to be licensed in a manner similar to the manner of licensing Certifying Authorities at present. It is therefore considered that in the near future, the digital signature system will continue to be the sole system of authentication that would be recognized by Indian law. In case the Government needs to introduce a new system, it has to notify through the Official Gazette the relevant procedure which is considered reliable. This would also require the notification to be placed before the Parliament. Evolution of Electronic signature When the Information Technology Amendment Bill 2006 was drafted on the basis of the recommendations of the Expert Committee the committee took into consideration a demand from technical community that the law dependent on a single authentication technology and there was a need to make the law Technology Neutral1. In response to this demand, the committee had tried to define an umbrella system of Electronic Signatures of which Digital Signature was one of the kinds. This required replacement of the word Digital with the word Electronic at several places in the Act. Taking this into consideration, in the Information Technology Amendment Bill 2006, clause 2, a list of amendments were proposed to replace the word Digital with the word Electronic at several places in the principal act where a reference to Digital Signature had been made. When the Bill needed further amendments based on the Standing Committee report, instead of drafting a new amendment bill, the department drafted a bill called Information Technology Amendment Bill 2008 and introduced it in the parliament on December 15, 2008. In this process of drafting an amendment bill for amending a pending bill which was to amend a prevalent act, some serious mistakes have crept into the Act which is now a law. Instead of the earlier proposal to call Digital Signature as one type of an umbrella kind Electronic Signature, the current draft introduced a new section 3A to define Electronic Signatures and retained the earlier section 3 of Digital Signatures. This has made Electronic Signature a concurrent alternative proposed by law to Digital Signature and both could be used for
authentication of electronic documents. As a result, the Certifying Authorities regulations also need to be accommodated for both Digital Signature as well as Electronic Signature. Either the current Certifying Authorities need to be licensed for Electronic Signatures also or there may be new Certifying Authorities who only apply for being Certifying Authorities for Electronic Signatures and not opt for having any Digital Signature Products. Public should also be able to Affix digital signature and also Affix electronic signature as the case may be. They can acquire two different certificates one for digital signature and the other for electronic signature and they may be from different Certifying authorities. Although electronic data and electronic signature is an upcoming field in law, Indian law is trying to cope up with this technical era through various amendments in the existing laws, along with the inclusion of the I.T. Act of 2000. The I.T. act opened a new horizon altogether. It is a tool to cope with the internet fraud and other offences further it provides penalties of offences. When internet age came everyday a new set of laws like the intellectual property laws, cybercrimes, the Indian Penal Code were broken. The existing laws were not sufficient enough. In due course of time new laws are being enacted and in future many more amendments are required to be made as the World Wide Web is becoming more and more global. Reference
1. Technology neutral means neither promoting nor discouraging the use of a particular technology. For example: A law requires that goods need to be transported from one point to another. Requiring the use of trucks to transport goods would make the law technology specific. Specifying that any means of transport may be used to transport goods, such as airplanes, railways, tempos, bullock carts etc., would make the law technology neutral.
CHAPTER III
ELECTRONIC GOVERNANCE
Understanding e- Governance The word electronic in the term e-Governance implies technology driven governance. E-Governance is the application of Information and Communication Technology for delivering government services, exchange of information communication transactions, integration of various stand-alone systems and services between Government-to-Citizens, Government-to-Business,Government-toGovernmentas well as back office processes and interactions within the entire government frame work. Thus it can be said that e-governance is the use of a range of modern Information and Communication Technologies such as Internet, Local Area Networks, mobiles etc. by Government to improve the effectiveness, efficiency, service delivery and to promote democracy. Through the e-Governance, the government services will be made available to the citizens in a convenient, efficient and transparent manner. The three main target groups that can be distinguished in governance concepts are Government, citizens and businesses/interest groups.Generally four basic models are available-Government to Customer/Citizen, Government to Employees, Government to Government and Government to Business. Scope of E-Governance Governance is all about flow of information between the Government and Citizens, Government and Businesses and Government and Government. E-Governance also covers all these relationships as follows: A. Government to Citizen (G2C) B. Citizen to Government (C2G)
C. Government to Government (G2G) D. Government to Business (G2B) A.Government to Citizen Government to Citizen Relationship is the most basic aspect of E-Governance. In modern times, Government deals with many aspects of the life of a citizen. The relation of a citizen with the Government starts with the birth and ends with the death of the citizen. A person transacts with the Government on every corner of his life. May it be birth registration, marriage registration, divorce or death registration! The G2C relation will include the services provided by the Government to the Citizens. These services include the public utility services i.e. Telecommunication, Transportation, Post, Medical facilities, Electricity, Education and also some of the democratic services relating to the citizenship such as Certification, Registration, Licensing, Taxation, Passports, I.D. Cards etc. Therefore E-Governance in G2C relationship will involve facilitation of the services flowing from Government towards Citizens with the use of Information and Communications Technology. Few Examples could be: E-Citizenship- E-Citizenship will include the implementation of Information and Communications Technology for facilitation of Government Services relating to citizenship of an individual. It may involve online transactions relating to issue and renewal of documents likeRation Cards, Passports, Election Cards, Identity Cards, etc. It will require the Government to create a virtual identity of every citizen so as to enable them to access the Government services online. For the same, Government would need to create a Citizen Database which is a huge task. E-Registration- E-Registration will cover the online registration of various contracts. An individual enters into several contracts during his life. Many of these contracts and transactions require registration for giving it legality and enforceability. Such registration may also be made information and communications technology enabled. E-registration will help to reduce a significant amount of paperwork. E-Transportation- E-Transportation services would include information and communications technology enablement of services of Government relating to Transport by Road, Rail, Water or Air.
This may involve online 1. booking and cancellation of tickets, 2. status of vehicles, railways, boats and flights, 3. issue and renewal of Driving Licenses, 4. registration and renewal of vehicles, 5. transfer of vehicles, 6. payment of the fees of licenses, 7. payment of fees and taxes for vehicle registration, E-Health- E-Health services would be information and communications technology enablement of the health services of the Government. Under this interconnection of all hospitals may take place. A patient database may be created. A local pharmacy database may also be created. All this can be done. E-Education- E-Education would cover the implementation of information and communications technology in imparting of education and conducting of Courses. Distant as will as classroom education will be facilitated with the use of information and communications technology. Use of internet can reduce the communication time required in Distance education; Internet may also help in conducting online classes. E-Help - E-Help refers to facilitation of disaster and crisis management using information and communications technology. It includes the use of technologies like internet, SMS, etc. for the purpose of reducing the response time of the Government agencies to the disasters.NGOs help Government in providing help in situations of disasters. Online information relating to disasters, warnings and calls for help can help the Government and the NGOs coordinate their work and facilitate and speed up the rescue work. E-Taxation- E-Taxation will facilitate the taxing process by implementing information and communications technology in the taxing process. Online tax due alerts and online payment of taxes would help transact faster. B.Citizen to Government Citizen to Government relationship will include the communication of citizens with the Government arising in the Democratic process like voting, campaigning, feedback, etc. E-Democracy- The true concept of Democracy includes the participation of the citizens in the democratic and governing process. Today due to the increased population the active participation of the
citizens in governing process is not possible. The information and communications technology can help enable the true democratic process including voting, public opinion, feedback and Government accountability. E-Feedback- E-Feedback includes the use of information and communications technology for the purpose of giving feedback to the Government. Lobbying is pursuing the Government to take a certain decision. Use of information and communications technology can enable online feedback to the Government, online debates as to the Government services. C.Government to Government G2G relationship would include the relationships between Central and State Government and also the relationship between two or more Government departments. E-administration- E-administration would include the implementation of information and communications technology in the functioning of the Government, internally and externally. Implementation of information and communications technology can reduce the communication time between the Government Departments and Governments. It can substantially reduce paperwork if properly used. E-administration will also bring morality and transparency to the administration of Government Departments. E-police - The concept of E-police is little different from Cyber-Police. Cyber Police require technology experts to curb the electronic/cybercrimes. E-police refers to the use of information and communications technology for the purpose of facilitating the work of the Police department in investigation and administration. The concept of E-police includes databases of Police Officers, their performances, Criminal databases wanted as well as in custody, the trends in crimes and much more. Information and communications technology can help reduce the response time of the Police department and also reduce cost by reducing paperwork. E-courts- The concept of E-Court will include the information and communications technology enablement of the judicial process. Technology may help distant hearing, online summons and warrants and online publication of Judgments and Decrees. D.Government to Business E-Taxation - Corporate sector pays many taxes, duties and
dues to the Government. Payment of these taxes and duties will be made easier by E-Taxation. Online taxing and online payment of taxes can help reduce cost and time required for physical submission of taxes. Information and communications technology can also help crosscheck the frauds and deficiencies in payment, further bringing accuracy and revenue to the Government. E-Licensing- Companies have to acquire various licenses from the Government, similarly the companies have to acquire various registrations. information and communications technology enablement of the licensing and registration can reduce time and cost. E-Tendering- E-Tendering will include the facilities of online tendering and procurement. It will online alerts as to new opportunities of business with the Government and also online submission of tenders and online allotment of work. It will reduce time and cost involved in the physical tendering system. E-Governance is the future; many countries are looking forward to for a corruption free government. E-government is one-way communication protocol whereas E-governance is two-way communication protocol. The essence of E-governance is to reach the beneficiary and ensure that the services intended to reach the desired individual has been met with. There should be an auto-response system to support the essence of E-governance, whereby the Government realizes the efficacy of its governance. E-governance is by the governed, for the governed and of the governed. Difference between e-governance and e-government Both the terms are treated to be the same, however, there is some difference between the two. E-government is the use of the Information and Communication Technologies in public administrations combined with organisational change and new skills to improve public services and democratic processes and to strengthen support to public. The term Governance is wider than Government. Governance may be an activity of governing/controlling a country by its Government, controlling of an organisation or a company by its CEO or Board of Directors or controlling of a house hold by the head of the house, Accordingly E-governance may also involve governing of a country, organisation, company or a household, however with the help of Information and Communication Technology.
Objectives of E-Governance Following are the objectives/aims of E-Governance: To build an informed society An informed society is an empowered society. Only informed people can make a Government responsible. So providing access to all to every piece of information of the Government and of public importance is one of the basic objective of E-Governance. To increase Government and Citizen Interaction - In the physical world, the Government and Citizens hardly interact. The amount of feedback from and to the citizens is very negligible. E-Governance aims at build a feedback framework, to get feedback from the people and to make the Government aware of peoples problems. To encourage citizen participation - True democracy requires participation of each individual citizen. Increased population has led to representative democracy, which is not democracy in the true sense. E-governance aims to restore democracy to its true meaning by improving citizen participation in the Governing process, by improving the feedback, access to information and overall participation of the citizens in the decision making. To bring transparency in the governing process - Egovernance carries an objective to make the Governing process transparent by making all the Government data and information available to the people for access. It is to make people know the decisions, and policies of the Government. To make the Government accountable - Government is responsible and answerable for every act decision taken by it. E-Governance aims and will help make the Government more accountable than now by bringing transparencys and making the citizens more informed. To reduce the cost of Governance - E-Governance also aims to reduce cost of governance by cutting down on expenditure on physical delivery of information and services. It aims to do this by cutting down on stationary, which amounts to the most of the governments expenditure. It also does away with the physical communication thereby reducing the time required for communication while reducing cost. To reduce the reaction time of the Government Normally due to red-tapism and other reasons, the Government takes long to reply to peoples queries and problems. E-Governance aims
to reduce the reaction time of the Government to the peoples queries and problems, because s problems are basically Governments problems as Government is for the people. National e-Governance Plan: The common future of all The National e-Governance Plan of Indian Government seeks to lay the foundation and provide the impetus for longterm growth of e-Governance within the country. This provides information on creation of the right governance and institutional mechanisms, setting up the core infrastructure and policies and implementation of a number of Mission Mode Projects at the Center, State and integrated service levels. The National e-Governance Plan (NeGP) has been formulated by the Department of Electronics and Information Technology (DEITY) and Department of Administrative Reforms and Public Grievances (DARPG). The Union Government approved the NeGP , comprising of 27 Mission Mode Projects (MMPs) and 10 components on May 18, 2006. The NeGP aims at improving delivery of Government services to citizens and businesses with the following vision:Make all Government services accessible to the common man in his locality, through common service delivery outlets and ensure efficiency, transparency & reliability of such services at affordable costs to realise the basic needs of the common man. Implementation of e-Governance is a highly complex process requiring provisioning of hardware & software, networking, process re-engineering and change management. Based on lessons learnt from the past and the experience from successful e-Governance applications, the approach and methodology adopted for NeGP contains the following elements: Common Support Infrastructure: NeGP implementation involves setting up of common and support IT infrastructure such as: State Wide Area Networks (SWANs), State Data Centres (SDCs), Common Services Centres (CSCs) and Electronic Service Delivery Gateways. Governance: Suitable arrangements for monitoring and coordinating the implementation of NeGP under the direction of the competent authorities have also been substantially put in place. The programme also involves evolving/ laying down standards and policy guidelines, providing technical support, undertaking capac-
ity building, R&D, etc. DEITY is required to adequately strengthen itself and various institutions like NIC, STQC, CDAC, NISG, etc. to play these roles effectively. Centralised Initiative, Decentralised Implementation: e-Governance is being promoted through a centralised initiative to the extent necessary to ensure citizen-centric orientation, to realise the objective of inter-operability of various e-Governance applications and to ensure optimal utilisation of INFORMATION AND COMMUNICATIONS TECHNOLOGY infrastructure and resources while allowing for a decentralised implementation model. It also aims at identifying successful projects and replicating them with required customisation wherever needed. Public-Private Partnerships (PPP): PPP model is to be adopted wherever feasible to enlarge the resource pool without compromising on the security aspects. Integrative Elements: Adoption of unique identification codes for citizens, businesses and property is to be promoted to facilitate integration and avoid ambiguity. Programme Approach at the National and State levels: For implementation of the NeGP , various Union Ministries/ Departments and State Governments are involved. Considering the multiplicity of agencies involved and the need for overall aggregation and integration at the national level, NeGP is being implemented as a programme, with well-defined roles and responsibilities of each agency involved. For facilitating this, appropriate programme management structures have also been put in place. Facilitator role of DEITY: DEITY is the facilitator and catalyst for the implementation of NeGP by various Ministries and State Governments and also provides technical assistance. It serves as a secretariat to the Apex Committee and assists it in managing the programme. In addition, DEITY is also implementing pilot/ infrastructure/ technical/ special projects and support components. DARPGs responsibility is towards Government Process Re-engineering and Change Management, which are desired to be realised across all government departments. Planning Commission and Ministry of Finance allocate funds for NeGP through Plan and Non-plan budgetary provisions and lay down appropriate procedures in this regard. Ownership of Ministries: Under the NeGP , various MMPs are owned and spearheaded by the concerned line Ministries. In
case there are any ongoing projects which fall in the MMP category, they would be suitably enhanced to align them with the objectives of NeGP . For major projects like Bharat Nirman, Rural Employment Guarantee Schemes, etc. the line ministries concerned are advised to make use of e-Governance as also automation techniques from the inception stage. States have been given the flexibility to identify a few additional state-specific projects, which are relevant for the economic development of the State. Section 4: Legal Recognition of Electronic Records Where any law provides that information or any other matter shall be in writing or in the typewritten or printed form, then, notwithstanding anything contained in such law, such requirement shall be deemed to have been satisfied if such information or matter is (a) Rendered or made available in an electronic form; and (b) Accessible so as to be usable for a subsequent reference Section 4 of the IT Act says that any information or other matter required by any law to be in writing can be in electronic form. Due to the tremendous growth of Internet services, more than 90 percent of the records created at present are in electronic form. However, cyber laws across the world did not recognize electronic communication as legally valid. The two main legal barriers of e-commerce and e-governance were Necessity to record information on tangible medium and Requirement of hand written signatures. However, Section 4, of the IT Act provides that, if there is a legal requirement for any information to be in written from, such a requirement shall be considered to be satisfied, in case where the information is: Made available in an electronic form; and Accessible for subsequent uses. Section 5: Legal recognition of [Electronic Signature]1Where any law provides that information or any other matter shall be authenticated by affixing the signature or any document should be signed or bear the signature of any person then, notwithstanding anything contained in such law, such requirement shall be deemed to have been
satisfied, if such information or matter is authenticated by means of electronic signature affixed in such manner as may be prescribed by the Central Government. Explanation - For the purposes of this section, Signed, with its grammatical variations and cognate expressions, shall, with reference to a person, mean affixing of his hand written signature or any mark on any document and the expression Signature shall be construed accordingly. Section 5 says that where any law requires any information or other matter to be authenticated by the signature of any person, when such requirement shall be deemed to be satisfied, if such information or matter is authenticated by means of digital signature affixed in the manner provided by the Rules. Section 6: Use of Electronic Records and Electronic Signature in Government and its agencies- (1) Where any law provides for a. the filing of any form, application or any other document with any office, authority, body or agency owned or controlled by the appropriate Government in a particular manner; b. the issue or grant of any license, permit, sanction or approval by whatever name called in a particular manner; c. the receipt or payment of money in a particular manner, then, notwithstanding anything contained in any other law for the time being in force, such requirement shall be deemed to have been satisfied if such filing, issue, grant, receipt or payment, as the case may be, is effected by means of such electronic form as may be prescribed by the appropriate Government. (2) The appropriate Government may, for the purposes of sub-section (1), by rules, prescribe a. the manner and format in which such electronic records shall be filed, created or issued; b. the manner or method of payment of any fee or charges for filing, creation or issue any electronic record under clause (a).
Section 6 elaborates this specifically in the context of electronic filing with the government or any office, authority, body or agency owned or controlled by the governments. It interalia provides that where any law provides for filing of any form application or other document with any such authority then such requirement shall be deemed to have been satisfied, if such filing is effected by means of such electronic form as may be prescribed by the appropriate government. Now, say for example MCA21; in ministry of corporate affairs e- filing is compulsory, similarly UPSC has made e-application mandatory. Section 6-A: Delivery of Services by Service Provider (1) The appropriate Government may, for the purposes of this Chapter and for efficient delivery of services to the public through electronic means authorise , by order, any service provider to set up, maintain and upgrade the computerised facilities and perform such other services as it may specify, by notification in the Official Gazette. Explanation - For the purposes of this section, service provider so authorised includes any individual, private agency, private company, partnership firm, sole proprietor form or any such other body or agency which has been granted permission by the appropriate Government to offer services through electronic means in accordance with the policy governing such service sector. (2) The appropriate Government may also authorise any service provider authorised under sub-section (1) to collect, retain and appropriate service charges, as may be prescribed by the appropriate Government for the purpose of providing such services, from the person availing such service. (3) Subject to the provisions of sub-section (2), the appropriate Government may authorise the service providers to collect, retain and appropriate service charges under this section notwithstanding the fact that there is no express provision under the Act, rule, regulation or notification under which the service is provided to collect, retain and appropriate e-service charges by the service providers.
(4) The appropriate Government shall, by notification in the Official Gazette, specify the scale of service charges which may be charged and collected by the service providers under this section: Provided the appropriate Government may specify different scale of service charges for different types of services. New Section 6A introduced to provide for appointment of Service Providers in e-Governance services and enable delivery of services by private service providers. This section is important for the legal enablement of several services already introduced by different Governments which were capable of being questioned for legal validity. As it is evident, information and technology have deep interference in modern life style. More and more services are to be offered to the consumers, and for that huge infrastructure are to be needed. No everything is to be coming from the government so to avoid any such situation this section is inserted in the Information technology Act. This section primarily gives the legal sanction for the service providers e.g. any service provider, from electricity to internet, from taxes to banking, to establish, maintain and upgrade time to time the infrastructure established by them. Further, if any such expenses occur, obviously customers have to bear them, so the provision made to legalize the service charges payable by the customers. Section 7: Retention of Electronic Records - (1) Where any law provides that documents, records or information shall be retained for any specific period, then, that requirement shall be deemed to have been satisfied if such documents, records or information are retained in the electronic form, if a. the information contained therein remains accessible so as to be usable for a subsequent reference; b. the electronic record is retained in the format in which it was originally generated, sent or received or in a format which can be demonstrated to represent accurately the information originally generated, sent or received;
c. the details which will facilitate the identification of the origin, destination, date and time of dispatch or receipt of such electronic record are available in the electronic record: Provided that this clause does not apply to any information which is automatically generated solely for the purpose of enabling an electronic record to be dispatched or received. (2) Nothing in this section shall apply to any law that expressly provides for the retention of documents, records or information in the form of electronic records. Section 7 of the Act designed for the safe keeping and disposal of records. Section denies any difference between the paper records keeping and electronic record keeping. Electronic records can be defined as information created, maintained, or retained in any digitized configuration. Such information can reside on a CD, harddisk, tape, or any other magnetic storage unit. Moreover, record types have expanded from text to audio, fax, music, pictures, video, x-rays, and a variety of other new document and file formats. Records in any or all such formats must be captured, edited, indexed, cross-referenced, retrieved, and eventually erased or destroyed. Faced with this proliferation of information, dispersed amongst various media sources, IT executives need to formulate a strategy and implement policies to deal with the burgeoning volume of such records As per the requirement of this section, if any law requires safe keeping of the records, it can be done by electronic records retention as well. Provided that records kept in electronic format should be able to use subsequently. Further the actual format, e.g. in which it was generated should maintained throughout. This section further elaborates on the point of identity of the record. The original particulars of the document should be maintained in the electronic format. However this section does not find its application in electronically generated records. Section 7-A: Audit of Documents etc. in Electronic form -Where in any law for the time being in force, there is a provision for audit of documents, records or information, that provision shall also be applicable for
audit of documents, records or information processed and maintained in electronic form. New Section 7A introduced to make audit of Electronic documents mandatory wherever the legacy physical records were subject to audit.It is a clarification and welcome. Huge responsibility is now cast on the Government to get its electronic records audited. This section now makes it mandatory for the Government to get all the electronic documents audited. While one can appreciate the need for this provision felt by the standing committee, we need to also understand the enormity of this responsibility. The huge volumes of records held by the Government under e-Governance projects make it near impossible for an audit to be conducted in the traditional fashion. It is not possible for an auditor to look at a document and check if it is the same which was there the previous year. There is a need for technical enablement of such comparison through a recording of hash values of all files stored as a part of the e-Governance process. These hash tables need to be archived and digitally signed by the auditors as a part of their audit process. In some cases of e-Governance, it may not be possible to comply with this provision fully in respect of legacy documents. Section 8: Publication of rules, regulation, etc, in Electronic Gazette- Where any law provides that any rule, regulation, order, bye-law, notification or any other matter shall be published in the Official Gazette, then, such requirement shall be deemed to have been satisfied if such rule, regulation, order, bye-law, notification or any other matter is published in the Official Gazette or Electronic Gazette: Provided that where any rule, regulation, order, byelaw, notification or any other matters published in the Official Gazette or Electronic Gazette, the date of publication shall be deemed to be the date of the Gazette which was first published in any form. The obvious intention of introducing this section was to satisfy the legal requirements regarding publishing of Gazettes and to provide legal recognition to e-Gazettes. A normal reading of intention behind such a measure is to bring greater transparency, convenience and economy to the system of publishing Gazettes. It would be in order for the Government under this section to start
publishing Gazettes in e-form and start discontinuing issue of paper based Gazette Notifications. Those who want a paper copy can always print out the e-documents. Incase the print copy is required for judicial purpose, they can get it certified under Section 65B of Indian Evidence Act. The Government has now taken decisive steps to replace paper based transactions in filing of corporate Income Tax returns as well as MCI returns. Similar steps in other functions of the Government are therefore in order. Gazette publication could be considered as one other initiative that is feasible to be converted from paper form to only electronic form. After nearly 8 years since the legal enablement through ITA 2000, Government of India took the first steps in publication of Gazette notifications in e-form when it launched the website http:// egazette.nic.in; is maintained by the ministry of urbandepartment which earlier was entrusted with the functions of printing the gazette notifications. While launching the website, it is reported that the Union Minister of Urban Development ShriJaipal Reddy stated that this is an initiative to empower the citizens and bona fide users. He also reportedly stated that e-Gazette will enable people to have access and obtain the Gazette notifications issued by the Government immediately on its uploading on payment of the prescribed price of that notification. The e-Gazette will also help the media, social activists and many users for various other purposes like research, court cases and settlement of legal documents to a great extent. The Orissa high Court in Orissa Consumers Association vs. Orissa Electricity Regulatory2 held that the aforesaid provisions in the Information Technology Act, 2000 inter alia provide that if a notification is published in the Electronic Gazette, the notification is deemed to have been published in the Official Gazette. The Proviso to Section 8 of the Act also makes it clear that where the notification is published both in the Official Gazette and the Electronic Gazette, the date of publication shall be deemed to be the date of Gazette which was first published in any form. Section 9: Sections 6, 7 and 8 Not to Confer Right to insist document should be accepted in electronic form - Nothing contained in sections 6, 7 and 8 shall confer
a right upon any person to insist that any Ministry or Department of the Central Government or the State Government or any authority or body established by or under any law or controlled or funded by the Central or State Government should accept, issue, create, retain and preserve any document in the form of electronic records or effect any monetary transaction in the electronic form. Section 9 limits the public right to use the electronic means while dealing with the any government or any government department. As per the section there can be no insistence for application of section 6, 7 and 8, upon any such government or government department. The logical reason behind this could be the laggard government policies. Government still is unable to provide sufficient infrastructure to provide full spectrum of services.Thus it is absolute right of the department to indulge itself into information technology or not. Section 10: Power to Make Rules by Central Government in respect of [Electronic Signature]3The Central Government may, for the purposes of this Act, by rules, prescribe a. The type of [Electronic Signature]4; b. The manner and format in which the [Electronic Signature]5 shall be affixed; c. The manner or procedure which facilitates identification of the person affixing the [Electronic Signature]6; d. Control processes and procedures to ensure adequate integrity, security and confidentiality of electronic records or payments; and e. Any other matter which is necessary to give legal effect to [Electronic Signatures]7. It is always felt that along with the statutory laws, to support and for better implementation, a detain set of rules is always required. So, appropriate governments have been given the powers to bring in these rules as and when require and as per their requirement. Thus, to achieve this central government bought Information Technology (Certifying Authority) Rules, 2000. Rules notified under the Information Technology Act, 2000
a. The Information Technology (Reasonable security practices and Procedures and sensitive personal data or information) Rules, 2011. b. The Information Technology (Electronic Service Delivery) Rules, 2011 c. The Information Technology (Intermediaries guidelines) Rules, 2011 d. The Information Technology (Guidelines for Cyber Cafe) Rules, 2011 e. The Cyber Appellate Tribunal (Salary, Allowances and other terms and conditions of service of Chairperson and Members) Rules, 2009 f. The Cyber Appellate Tribunal (Procedure for investigation of Misbehaviour or Incapacity of Chairperson and Members) Rules, 2009 g. The Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public), 2009 h. The Information Technology (Procedure and Safeguards for interception, monitoring and decryption of information) Rules, 2009 i. The Information Technology (Procedure and Safeguard for Monitoring and Collecting Traffic Data or Information) Rules, 2009 j. The Information Technology (Use of electronic records and digital signatures) Rules, 2004 k. The Information Technology (Security Procedure) Rules, 2004 l. The Information Technology (Other Standards) Rules, 2003 m. The Information Technology (Certifying Authority) Regulations, 2001 n. Information Technology (Certifying Authorities) Rules, 2000 As per the section central government may prescribe, the types of electronic signature, the manner of affixing the signature, procedure of identification of person affixing signature etc. Section 10-A: Validity of contracts formed through electronic means- Where in a contract formation, the communication of proposals, the acceptance of proposals, the revocation of proposals and acceptances, as the case may be, are expressed in electronic form or by
means of an electronic record, such contract shall not be deemed to be unenforceable solely on the ground that such electronic form or means was used for that purpose.8 A new section 10A has been inserted to the effect that contracts concludedelectronically shall not be deemed to be unenforceable solely on the ground that electronic form or means was used. Since contract is involved thus the law of contract will play a major role here, but one thing should kept in mind that this section only validated the contract in electronic form, it does not amend or modify the existing law of contract. Thus it makes no point to repeat existing law of contract again. Obviously a quick revision of rules regarding postal contract and telephonic/instantaneous contract is required. The only difference between these two rules is the time taken in proposal or acceptance or evocation of the contract. Contract through post is complete when acceptor puts his acceptance into transmission so as to be out of the power of the said acceptor and the contract is made at the place where acceptance. However in instantaneous communication contract is complete when the acceptance is received by the offeror and the contract is made at the place where the acceptance is received. Obviously e contract is fine example of instantaneous contract. References
1. Substituted with digital signature by ITAA, 2008 2. AIR 2005 Ori 11 3. Substituted with Digital Signature by Information Technology Amendment Act, 2008. 4. Substituted with Digital Signature by Information Technology Amendment Act, 2008 5. Substituted with Digital Signature by Information Technology Amendment Act, 2008. 6. Substituted with Digital Signature by Information Technology Amendment Act, 2008. 7. Substituted with Digital Signatures by Information Technology Amendment Act, 2008. 8. Inserted by Information Technology (Amendment) Act, 2008
CHAPTER IV
ATTRIBUTION, ACKNOWLEDGMENT AND DISPATCH OF ELECTRONIC RECORDS

Chapter IV of the Act explicates the manner in which electronic records are to be attributed, acknowledgedand dispatched. These provisions play a vital role while entering into agreements electronically. Chapter IV of Information Technology Act, 2000 is extension of section 7 and section 4 of Indian Contract Act, 1872. It seems that the intention of draftsmen of Information Technology Act 2000 is to promote the e-commerce or at least to promote communication through electronic mode. Section 11: Attribution of Electronic Records An electronic record shall be attributed to the originator, a. if it was sent by the originator himself; b. by a person who had the authority to act on behalf of the originator in respect of that electronic record; or c. by an information system programmed by or on behalf of the originator to operate automatically. Attribution means to consider it to be written or made by someone. Hence, this Section lays down how ane-record is to be attributed to the person who originated it. Section 11 states that an electronic record shall be attributed to the originator as if it was sent by him orby a person authorised on his behalf or by an information system programmed to operated on behalf ofthe originator.
Originator doesnt include Intermediary. Example:-Arun uses his Gmail account to send an email to Vipull. Here, Arun is the originator & Gmail is the intermediary. However an employee of Arun, as per the direction of Arun, uses Aruns account to send this mail, even then itll be said that Arun has originated this mail. Now supposeArun is on vacation. During vacation he has turned his vacation responder on with the following message:-Thank you for your email. I am on vacation, will reply your mail as soon I get back.Here, though Arun has programmed an information system to operate automatically on his behalf. Still Arun is the originator in this case. Thus if your facebook or google+ account is showing you people you might know cant be said to originated by people you might know, but any friend request will attributed to the sender or person who had the authority to act on behalf of the originator in respect of that electronic record; or by an information system programmed by or on behalf of the originator to operate automatically. It is obligatory that Section 11 of this act should be read along with the Section 88A of the Indian Evidence Act, 1872. However as per Section 88A Court shall not make any presumption as to the person by whom such message was sent. Thus to bring the matter under section 11 of this act, it has to be proved inter alia that it was send inter alia by the originator himself; or it was sent by the authority of the originator inter alia, or such record was programmed by the originator inter alia. The intention of this section is very clear from its plain reading. This section is meant to determine/ establish the fact that who has made the offer. Furthermore, section 11 correspond the section 3 of Indian Contract Act, 1872. As per section 3, any act or omission by which the party intends to communicate such act or omission has the effect of communicating it. Since electronic communication is so fast and it involves a lot of technologies and intermediaries, the actual intention of the parties is not easy to bring out. So to avoid and undesirable circumstance and to promote e-commerce a need to inject certain presumptions was felt. Section 11 is not something new has been created but it is just explicit expression of section 3 of Indian Contract Act, 1872. Section 12: Acknowledgement of Receipt - (1) Where
the originator has not agreed with stipulated that the acknowledgment of receipt of electronic record be given in a particular form or by a particular method, an acknowledgment maybe given by a. Any communication by the addressee, automated or otherwise; or b. Any conduct of the addressee, sufficient to indicate to the originator that the electronic record has been received. (2) Where the originator has stipulated that the electronic record shall be binding only on receipt of an acknowledgment of such electronic record by him, then unless acknowledgment has been so received, the electronic record shall be deemed to have been never sent by the originator. (3) Where the originator has not stipulated that the electronic record shall be binding only on receipt of such acknowledgment, and the acknowledgment has not been received by the originator within the time specified or agreed or, if no time has been specified or agreed to within a reasonable time, then the originator may give notice to the addressee stating that no acknowledgment has been received by him and specifying a reasonable time by which the acknowledgment must be received by him and if no acknowledgment is received within the aforesaid time limit he may after giving notice to the addressee, treat the electronic record as though it has never been sent. As per Section 12, the addressee may acknowledge the receipt of the electronic record either in aparticular manner or form as desired by the originator and in the absence of such requirement, bycommunication of the acknowledgement to the addresses or by any conduct that would sufficientlyconstitute acknowledgement. Normally if the originator has stated that the electronic record will bebinding only on receipt of the acknowledgement, then unless such acknowledgement is received, therecord is not binding. However, if the acknowledgement is not received within the stipulated time periodor in the absence of the time period, within a reasonable time, the originator may notify the addressee tosend the acknowledgement, failing which the electronic record will be treated as never
been sent. Now if we could, for a moment, think of acceptance as receipt, then section 7 of Indian Contract Act, 1872 and section 12 of Information Technology Act, 2000 are not much different from each other.Section 7 of Contract Act specifies that acceptance is not prescribed in any specific manner then it should be in some reasonable manner. Similarly, in section 12 of Information Technology Act, 2000, if the parties are not agree upon the manner of the receipt of electronic record then any communication by the addressee, even automatically generated email response or any conduct of addressee sufficient to include that record is received, would amount to receipt of record. When e-commerce is binding? Section 12 of Information Technology 2000, corresponds the Section 4 of Indian Contract Act, 1872. The rule about instantaneous communication between the parties is different from the rule about the post. The contract is only complete where the acceptance is received by the offeror, and the contract is made at the place where the acceptance is received.1 Thus as per section 12(2), when originator stipulates that the electronic record shall be binding only on receipt of acknowledgement, then the communication will be concluded only by such receipt else it will be deemed as no record ever been send to addressee. However, the section 4 and section 12(2) are quite different as the application of section 12(2) is wide enough to cover any electronic record but section 4 is limited to only contracts but nothing else. Section 12(3) and Section 7(2) Section 7(2) prescribes that if the proposal prescribes a manner in which it is to be accepted and the acceptance is not made in such manner, the proposer may, within a reasonable time after the acceptance is communicated to him, insist that his proposal shall be accepted in the prescribed manner and not otherwise. So if no acceptance is made in prescribed manner, the originator, here in Information Technology Act, 2000 has the liberty to call off the contract. Such a thing is repeated in section 12(3) of Information Technology Act, 2000. Section 12(3) prescribes that Where the originator has not stipulated that the electronic record shall be binding only on receipt of such acknowledgment, and the
acknowledgment has not been received by the originator within the time specified or agreed or, if no time has been specified or agreed to within a reasonable time, then the originator may give notice to the addressee stating that no acknowledgment has been received by him and specifying a reasonable time by which the acknowledgment must be received by him and if no acknowledgment is received within the aforesaid time limit he may after giving notice to the addressee, treat the electronic record as though it has never been sent. Section 13: Time and place of dispatch and receipt of electronic record-(1) Save as otherwise agreed to between the originator and the addressee, the dispatch of an electronic record occurs when it enters a computer resource outside the control of the originator. (2) Save as otherwise agreed between the originator and the addressee, the time of receipt of an electronic record shall be determined as follows, namely a. If the addressee has designated a computer resource for the purpose of receiving electronic records,i. Receipt occurs at the time when the electronic record enters the designated computer resource; or ii. If the electronic record is sent to a computer resource of the addressee that is not the designated computer resource, receipt occurs at the time when the electronic record is retrieved by the addressee; b. If the addressee has not designated a computer resource along with specified timings, if any, receipt occurs when the electronic record enters the computer resource of the addressee. (3) Save as otherwise agreed between the originator and the addressee, an electronic record is deemed to be dispatched at the place where the originator has his place of business, and is deemed to be received at the place where the addressee has his place of business. (4) The provisions of sub-section (2) shall apply not withstanding that the place where the computer resource is located may be different from the place where the electronic record is deemed to have been received under sub-section (3). (5) For the purposes of this section -
a. If the originator or the addressee has more than one place of business, the principal place of business shall be the place of business; b. If the originator or the addressee does not have a place of business, his usual place of residence shall be deemed to be the place of business; c. Usual Place of Residence, in relation to a body corporate, means the place where it is registered. Section 13 specifies that an electronic record is said to have been dispatched the moment it leaves the computer resource of the originator and said to be received the moment it enters the computer resource of the addressee. Section 13 results from the recognition that, for the operation of many existing rules of law, it is important to ascertain the time and place of receipt of information. The use of electronic communication techniques makes those difficult to ascertain. It is not uncommon for users of electronic commerce to communicate from one State to another without knowing the location of information systems through which communication is operated. In addition, the location of certain communication systems may change without either of the parties being aware of the change. Section 13 is thus intended to reflect the fact that the location of information systems is irrelevant and sets forth a more objective criterion, namely, the place of business of the parties. In that connection, it should be noted that Section 13 is not intended to establish a conflict-of-laws rule. Section 13 (1) defines the time of dispatch of a data message asthe time when the data message enters an information system outside the control of the originator, which may be the information system of an intermediary or an information system of the addressee. The concept of dispatch refers to the commencement of the electronic transmission of the data message. Where dispatch already has an established meaning, section 13 is intended to supplement rules on dispatch and not to displace them. If dispatch occurs when the data message reaches an information system of the addressee, dispatch under subsection (1) and receipt under subsection (3) are simultaneous, except where the data message is sent to an information system of the addressee that is not the information system designated by the addressee.
Section 13 (2), the purpose of which is to define the time of receipt of a data message, addresses the situation where the addressee unilaterally designates a specific information system for the receipt of a message (in which case the designated system may or may not be an information system of the addressee), and the data message reaches an information system of the addressee that is not the designated system. In such a situation, receipt is deemed to occur when the data message is retrieved by the addressee, either on designated system or otherwise. By designated computer resource, the law is intended to cover a system that has been specifically designated by a party, for instance in the case where an offer expressly specifies the address to which acceptance should be sent. The mere indication of an electronic mail or telecopy address on a letterhead or other document should not be regarded as express designation of one or more computer resource. Attention is drawn to the notion of entry into a computer resource, which is used for both the definition of dispatch and that of receipt of a data message. A data message enters a computer resource at the time when it becomes available for processing within that computer resource. Whether a data message which enters a computer resource is intelligible or usable by the addressee is outside the purview of this law. This section does not intend to overrule provisions of other law; such as Indian Contract Act; under which receipt of a message may occur at the time when the message enters the sphere of the addressee, irrespective of whether the message is intelligible or usable by the addressee. Nor this section intended to run counter to trade usages, under which certain encoded messages are deemed to be received even before they are usable by, or intelligible for, the addressee. It was felt that it should not create a more stringent requirement than currently exists in a paper-based environment, where a message can be considered to be received even if it is not intelligible for the addressee or not intended to be intelligible to the addressee (e.g., where encrypted data is transmitted to a depository for the sole purpose of retention in the context of intellectual property rights protection). A data message should not be considered to be dispatched if it merely reached the computer resource system of the addressee but
failed to enter it. In particular, where the computer resource of the addressee does not function at all or functions improperly or, while functioning properly, cannot be entered into by the data message (e.g.,in the case of a telecopier that is constantly occupied), dispatch under this section does not occur. The purpose of section 13 (3) is to deal with the place of receipt of a data message. The principal reason for including a rule on the place of receipt of a data message is to address a circumstance characteristic of electronic commerce that might not be treated adequately under existing law, namely, that very often the information system of the addressee where the data message is received, or from which the data message is retrieved, is located in a jurisdiction other than that in which the addressee itself is located. Thus, the rationale behind the provision is to ensure that the location of an information system is not the determinant element, and that there is some reasonable connection between the addressee and what is deemed to be the place of receipt, and that that place can be readily ascertained by the originator. Subsection (3), is intended to refer to both actual and contemplated underlying transactions. References to place of business, principal place of business and Usual place of residence under subsection 5 were adopted to bring the text in line with article 10 of the United Nations Convention on Contracts for the International Sale of Goods. The effect subsection (4) is to introduce a distinction between the deemed place of receipt and the place actually reached by a data message at the time of its receipt. However, it was felt that introducing a deemed place of receipt, as distinct from the place actually reached by that data message at the time of its receipt, would be inappropriate outside the context of computerized transmissions (e.g., in the context of telegram or telex). The provision was thus limited in scope to cover only computerized transmissions of data messages. Reference
1. See Avtar Singh, page 31.
CHAPTER V
SECURE ELECTRONIC RECORDS AND SECURE ELECTRONIC SIGNATURES1

In the age of e-commerce where the electronic records and digital signatures are of crucial significance for proper functioning of e-commerce and businesses in the globalized free market economy it is imperative that the transaction of e-commerce in the form of electronic record and electronic/digital signatures should be secure and authentic. Chapter V sets out the conditions that would apply to qualify electronic records and digital signatures as being secure. It contains sections 14 to 16. Section 14: Secure Electronic Records Where any security procedure has been applied to an electronic record at a specific point of time, then such record shall be deemed to be a secure electronic record from such point of time to the time of verification. If, through the use of a security procedure, it can be verified that an electronic record has not been altered since the application of the procedure till the point of verification, then such electronic record shall be considered to be a secure electronic record from such specified point in time to the time of verification. However the burden of proof lies upon the relying party that the qualified security procedure was commercially reasonable under the circumstances and applied by the relying party in a trustworthy manner and reasonably and in good faith. What could be the security procedure has not been clarified and what security procedure would be valid under the law has not been explained. It appears that the scope of the security procedure is very
wide. However, a security procedure for purposes of this Section is a security procedure to detect changes in the content of an electronic record that is being capable of providing reliable evidence that an electronic record has not been altered. Section 15: Secure Electronic Signature - An electronic signature shall be deemed to be a secure electronic signature if(i) The signature creation data, at the time of affixing signature, was under the exclusive control of signatory and no other person; and (ii)The signature creation data was stored and affixed in such exclusive manner as may be prescribed. Explanation - In case of digital signature, the signature creation data means the private key of the subscriber. Towards the assurance of the secure electronic signature, section 15 prescribes that it requires primarily two things to presume an electronic signature secure. Firstly, the signature creation data or the private key while the signatory is affixing it was under the control of the signatory. Secondly, private key was stored and affixed as per the prescribed manner. However for the better understanding, a secure electronic signature in respect of data contained in an electronic document is a digital signature that results from completion of the following consecutive operations: a. application of the hash function to the data to generate a message digest; b. application of a private key to encrypt the message digest; c. incorporation in, attachment to, or association with the electronic document of the encrypted message digest; d. transmission of the electronic document and encrypted message digest together with either a digital signature certificate, or a means of access to a digital signature certificate; and after receipt of the electronic document, the encrypted message digest and the digital signature certificate or the
means of access to the digital signature certificate, i. application of the public key contained in the digital signature certificate to decrypt the encrypted message digest and produce the message digest, ii. application of the hash function to the data contained in the electronic document to generate a new message digest, Section 16: Security procedures and Practices The Central Government may for the purposes of sections 14 and 15 prescribe the security procedures and practices: Provided that in prescribing such security procedures and practices, the Central Government shall have regard to the commercial circumstances, nature of transactions and such other related factors as it may consider appropriate. Nothing in chapter V indicates towards the security procedure which finds its application in section 14 and 15. However under section 16 this is central government to prescribe the procedure. In order to narrow down its wide scope this section also provides certain things to kept in mind while deciding upon the security procedure, such as: Commercial circumstances and environment where these procedures are applied to; Nature of transaction where these procedure will be applicable; Qualification and adaptability of parties involved; Complexity of the procedure; Any other related factor which it calls for. This section left open to the central government for the future up gradation of the technology. Reference
1. Substitution of words digital signature by words electronic signature by ITAA 2008
CHAPTER VI
REGULATION OF CERTIFYING AUTHORITIES

Section 17: Appointment of Controller and other officers (1) The Central Government may, by notification in the Official Gazette, appoint a Controller of Certifying Authorities for the purposes of this Act and may also by the same or subsequent notification appoint such number of Deputy Controllers and Assistant Controllers, other officers and employees as it deems fit. (2) The Controller shall discharge his functions under this Act subject to the general control and directions of the Central Government. (3) The Deputy Controllers and Assistant Controllers shall perform the functions assigned to them by the Controller under the general superintendence and control of the Controller. Circumventing (4) The qualifications, experience and terms and conditions of service of Controller, Deputy Controllers and Assistant Controllers other officers and employees shall be such as may be prescribed by the Central Government. (5) The Head Office and Branch Office of the Office of the Controller shall be at such places as the Central Government may specify, and these may be established at such places as the Central Government may think fit. (6) There shall be a seal of the Office of the Controller. For the proper functioning of this Act and for ensuring that aims and purposes of the statute are fulfilled in accordance with the general principles laid down by the Parliament, it is necessary to
have some authority or officer. Such authority or officer may have persons to assist him also. The right to appoint all such authorities or officer vests in the Central Government. The Office of the CCA came into existence on November 1, 2000. It aims at promoting the growth of E-Commerce and E- Governance through the wide use of digital signatures. The term Controller as defined in clause (m) of section 2, means the Controller of Certifying Authorities appointed under sub-section (1) of section 17 to perform the functions of the Controller under this Act. The Central Government may, by notification in the Official Gazette, appoint any person as the Controller of Certifying Authorities. Being an appointing authority, the Central Government may also remove him and may take such action, as it may deem proper. The IT Act provides for the Controller of Certifying Authorities (CCA) to license and regulate the working of Certifying Authorities. The Certifying Authorities (CAs) issue digital signature certificates for electronic authentication of users. The Controller of Certifying Authorities (CCA) has been appointed by the Central Government under section 17 of the Act for purposes of the IT Act. The Central Government may by notification in the Official Gazette appoint a Controller of Certifying Authorities, and also Deputy and Assistant Controllers whose qualifications, experience and terms and conditions of service may be prescribed by the Government, for discharging the functions provided under section 18 of The Act. The only essential condition under this sub-section is that such persons appointed to assist the Controller, must be appointed by the Central Government, and not by the Controller. The Central Government has appointed three Deputy Controllers for Technical, Finance & Legal and Investigation purposes, and four Assistant Controllers for Technical (2), Finance & Legal and Investigation purposes. The Controller shall discharge all or any of his functions subject to the general control and directions of the Central Government. The words Controller shall discharge his functions have been used in section 17(2) as against the words Controller may perform all or any of the following functions used in section 18 of the Act. If there are directions of the Central Government, it shall be mandatory for the Controller to discharge his functions in accordance with those directions, Subject to the general control and directions of the Central Government.
The Controller shall discharge his functions subject to the general control and direction of the Central Government. The Central Government will issue necessary directions to the Controller in accordance with the provisions of the Act, and Rules made there under. The Central Government may issue such directions or instructions as it may consider reasonable for the impartial implementation of various provisions of this Act. Such directions shall not be against the provisions of this Act and the rules made under this Act. However, the Central Government shall not have any power to interpret the provisions of the Act or the Rules by issuing the directions. Under section 83 of this Act, the Central Government may also give directions to the State Government as to the carrying into execution in the State of any of the provisions of this Act. The Act has placed all the Dy. Controllers and Assistant Controllers under the Superintendence and control of the Controller. Such superintendence and control may be exercised in judicial and administrative matters. If necessary, the Controller can interfere with the administrative orders passed by the Dy. Controller or Assistant Controller. The power of superintendence is in addition to the power to control the Dy. Controllers and Assistant Controllers. The supervisory jurisdiction extends to keeping the Dy. Controllers and Assistant Controllers within the limits of their authority and ensuring that they obey the law. The Controller is no doubt head of the Dy. Controllers and Assistant Controllers and other subordinate officers appointed to assist him, but he is not a head of the Computer, Computer system and computer network of any person. The Controller is given certain powers of general supervision over the Computer system or computer network e.g., he has power to investigate any contravention of the provisions of the Act and Rules, but these powers can only be exercised in cases where the contravention is reported The Controller cannot be deemed to be the head of the computer, computer system or computer network and he should not be deemed to have power to interfere in the functioning of the person or company possessing the computer, computer system and computer network. The Act empowers the Central Government to appoint an officer not below the rank of a Director to the Government of India or an equivalent officer of a State Government to be an adjudicating officer to hold an enquiry as to whether any person has contravened any provisions of the Act or any rule, regulation or direction or
order made there under which renders him liable to pay penalty or compensation. Sub-section (4) provides that the Central Government shall prescribe under the rules the qualifications, experience and terms of conditions of service of Controller, Dy. Controllers and Asstt. Controllers other officers and employees. Accordingly, rule Z of the Information Technology (Conditions of Service of the Controller) Rules, 2000 has laid down the following qualification for the appointment of Controller of Certifying Authorities: (i) Bachelors Degree in Engineering/Technology and 20 years experience out of which 5 years should be at senior management levels in Information Technology (IT) or related sectors; or (ii) Masters Degree in Science/Engineering/Technology and 18 years experience out of which 5 years should be at senior management levels in Information Technology (IT) or related sectors; or (iii) Doctorate in Science/Engineering related sectors or equivalent and 15 years experience out of which 5 years should be at senior management levels in Information Technology (IT) or related sectors; or (iv) Management Degree (MBA) with Bachelors Degree ir Engineering/ Technology or Bachelors Degree in Science and 18 years experience out of which 5 years should be at senior management levels in Information Technology (IT) or related sectors; or According Rule 4 of the said Rules the Controller shall hold office for a period of 3 years, but shall be eligible for reappointment, provided that no person shall hold office beyond the age of 65 years. Rule 5 of the said Rules further provides that the Controller shall receive pay and allowances as admissible to a Secretary to the Government of India including all the benefits that a Secretary is entitled to. The Information Technology (Other Standards) Rules, 2003, provides in Rule 3 for certain Standards to be observed by the Controller. It says that the Controller shall, observe the standards laid down in Information Technology Security Guidelines and Security Guidelines for Certifying Authorities referred to in the Information Technology (Certifying Authorities) Rules, 2000, to ensure that the secrecy and security of the digital signatures are assured. The adjudicating officer appointed under the Act can exercise jurisdiction to adjudicate matters in which the claim for injury or damages does not exceed Rupees 5 Crore. In respect of claim for
injury or damage exceeding rupees five crores, the jurisdiction shall vest with the cyber appellate tribunal and after that high court. Section 18: Functions of Controller - The Controller may perform all or any of the following functions, namely (a) Exercising supervision over the activities of the Certifying Authorities; (b) Certifying public keys of the Certifying Authorities (c) Laying down the standards to be maintained by the Certifying Authorities; (d) Specifying the qualifications and experience which employees of the Certifying Authorities should possess; (e) Specifying the conditions subject to which the Certifying Authorities shall conduct their business; (f) Specifying the content of written, printed or visual material and advertisements that may be distributed or used in respect of a Electronic Signature1 Certificate and the Public Key; (g) Specifying the form and content of an Electronic Signature2 Certificate and the key; (h) Specifying the form and manner in which accounts shall be maintained by the Certifying Authorities; (i) Specifying the terms and conditions subject to which auditors may be appointed and the remuneration to be paid to them; (j) Facilitating the establishment of any electronic system by a Certifying Authority either solely or jointly with other Certifying Authorities and regulation of such systems; (k) Specifying the manner in which the Certifying Authorities shall conduct their dealings with the subscribers; (l) Resolving any conflict of interests between the Certifying Authorities and the subscribers; (m) Laying down the duties of the Certifying Authorities;
(n) Maintaining a data-base containing the disclosure record of every Certifying Authority containing such particulars as may be specified by regulations, which shall be accessible to public. As per Section 18 of The Information Technology Act, 2000 provides the required legal sanctity to the digital signatures based on asymmetric cryptosystems. The digital signatures are now accepted at par with handwritten signatures and the electronic documents that have been digitally signed are treated at par with paper documents. The Controller of Certifying Authorities (CCA) has established the Root Certifying Authority (RCAI) of India under section 18(b) of the IT Act to digitally sign the public keys of Certifying Authorities (CA) in the country. The RCAI is operated as per the standards laid down under the Act. The CCA certifies the public keys of CAs using its own private key, which enables users in the cyberspace to verify that a given certificate is issued by a licensed CA. For this purpose it operates, the Root Certifying Authority of India(RCAI). The CCA also maintains the Repository of Digital Certificates, which contains all the certificates issued to the CAs in the country. Section 19: Recognition of foreign Certifying Authorities - (1) Subject to such conditions and restrictions as may be specified by regulations, the Controller may with the previous approval of the Central Government, and by notification in the Official Gazette, recognize any foreign Certifying Authority as a Certifying Authority for the purposes of this Act. (2) Where any Certifying Authority is recognised under sub-section (1), the Electronic Signature3 Certificate issued by such Certifying Authority shall be valid for the purposes of this Act. (3) The Controller may if he is satisfied that any Certifying Authority has contravened any of the conditions and restrictions subject to which it was granted recognition under sub-section (1) he may, for reasons to be recorded in writing, by notification in the Official Gazette, revoke such recognition.
Section 19 enables domestic certification authority to guarantee, to the same extent as its own certificates, the correctness of the details of the foreign certificate, and to guarantee that the foreign certificate is valid and in force. However this section is intended to reflect the basic principle that the place of origin, in and of itself, should in no way be a factor determining whether and to what extent foreign certificates or electronic signatures should be recognized as capable of being legally effective. Determination of whether, or the extent to which, a certificate or an electronic signature is capable of being legally effective should not depend on the place where the certificate or the electronic signature was issued but on its technical reliability. The purpose of this section is to provide the general criterion for the cross-border recognition of certificates without which suppliers of certification services might face the unreasonable burden of having to obtain licences in multiple jurisdictions. However, it is not intended to place foreign certification services in a better position than domestic ones. For that purpose, this section establishes a threshold for technical equivalence of foreign certificates based on testing their reliability against the reliability requirements established by the enacting State pursuant to the Model Law. Section 19 (2) provides that electronic signature certificates issued by foreign certification authorities shall not be precluded from having the same recognition as certificates issued by domestic certification authorities on the ground that they have been issued by foreign certification authorities. However, section 19 (3) brings liability upon the controller to issue process to the foreign authority is it contravenes any procedure under which it was recognized as the certifying authority. That criterion is to apply regardless of the nature of the certification scheme obtaining in the jurisdiction from which the certificate or signature emanated. Through a reference to the central notion of a substantially equivalent level of reliability, acknowledges that there might be significant variance between the requirements of individual jurisdictions. The requirement of equivalence does not mean that the level of reliability of a foreign certificate should be exactly identical with
that of a domestic certificate. In addition, it should be noted that, in practice, suppliers of certification services issue certificates with various levels of reliability, according to the purposes for which the certificates are intended to be used by their customers. Depending on their respective level of reliability, certificates and electronic signatures may produce varying legal effects, both domestically and abroad. For example, in certain countries, even certificates that are sometimes referred to as low-level or low-value certificates might, in certain circumstances (e.g. where parties have agreed contractually to use such instruments), produce legal effect. Therefore, in applying the notion of equivalence, it should be borne in mind that the equivalence to be established is between functionally comparable certificates. However, no attempt has been made to establish a correspondence between certificates of different types issued by different suppliers of certification services in different jurisdictions. Equal treatment of certificates and other types of electronic signatures this section expresses with respect to electronic signatures the same rule as set forth in subsection (1) regarding certificates. Recognizing some legal effect to compliance with the laws ofa foreign country sub section 1 and 2 deal exclusively with the crossborder reliability test to be applied when assessing the reliability of a foreign certificate or electronic signature. Section 20: Controller to act as repository (Omitted by the Information Technology (Amendment) Act, 2008 (10 of 2009), Section 13 (w. e. f. 27-10-2009). Section 21: License to issue electronic signature4 certificates -(1) Subject to the provisions of sub-section (2), any person may make an application, to the Controller, for a license to issue Electronic Signature Certificates. (2) No license shall be issued under sub-section (1), unless the applicant fulfills such requirements with respect to qualification, expertise, manpower, financial resources and other infrastructure facilities, which are necessary to issue Electronic Signature5 Certificates as may be prescribed by the Central Government. (3) A license granted under this section shall -
(a) be valid for such period as may be prescribed by the Central Government; (b) not be transferable or heritable; (c) be subject to such terms and conditions as may be specified by the regulations. An electronic signature can be understood as a digital code that can be attached to an electronically transmitted message that uniquely identifies the sender. Like a written signature, the purpose of an electronic/digital signature is to guarantee that the individual sending the message really is who he or she claims to be. The digital code (electronic/digital signature) is generated by using Electronic Certificates. A trusted third-party organization or company that issues electronic certificates used for creating electronic signatures. The role of the Certifying Authority in this process is to guarantee that the individual or Organization granted the unique certificate is, in fact, who he or she claims to be. CAs are a critical component in data security and electronic commerce because they guarantee that the two parties exchanging information are really who they claim to be. However, these certifying authorities need to get their licenses to issue these electronic signatures. As per the section 21 (1), any person who fulfills the provisions of sub section (2) can apply for this license. This section has laid down a condition precedent for the grant of licence by the Controller. The conditions that an applicant for the grant of licence must fulfill before the licence could be granted are with respect to the following, the details of which have been prescribed by the Central Government under the Rules I. Qualification II. expertise III. manpower IV . financial resources V . other infrastructure facility. For verifying and assessing the financial resources, the Controller shall appoint auditors. He will send auditor to the prospective Certifying Authoritys place. The licence will be granted after the satisfactory report of the auditor. The Controller has empowered 12 auditors after a rigorous exercise. The auditors include - Deloitte Haskein, Price Waterhouse Coopers (PWC), Satyam Computers, Wipro, Tata Consultancy Ser-
vices (TCS), Arthur Andersen and Ernst & Young.6 Rule 8 of the Information Technology (Certifying Authorities) Rules, 2000 says that the following persons may apply for the grant of a licence to issue Electronic Signature Certificates (1)(a) an individual, being a citizen of India and having a capital of five crores of rupees or more in his business or profession; (b) a company having i. paid-up capital of not less than five crores of rupees; and ii. net worth of not less than fifty crores of rupees: (c) a firm having iii. Capital subscribed by all partners of not less than five crores of rupees; and iv. net worth of not less than fifty crores of rupee (d) Central Government or a State Government or any of the Ministries or Departments, Agencies or Authorities of such Governments. (2) An individual, or a company, or a firm shall furnish a performance bond in the form of a bankers guarantee from a scheduled bank in favour of the Controller in such form and in such manner as may be approved by the Controller for an amount of not less than five crores or rupees and the performance bond or bankers guarantee shall remain valid for a period of six years from the date of its submission. (3) Rule 9 of the Information Technology (Certifying Authorities)Rules, 2000 says that the infrastructure associated with all functions of generation, issue and management of Electronic Signature Certificate as well as maintenance of Directories containing information about the status, and validity of Electronic Signature Certificate shall be installed at any location in India. Licence Granted shall be Subject to such Terms and Conditions as may be Specified in the Regulations Rule 13 of the Information Technology (Certifying Authorities) Rules, 2000 says that a licence shall be valid for a period of five years from the date of its issue and that it shall not be transferable. It shall not be heritable. According to clause (c) of sub-section (3) of section 21 a licence granted under this section shall be subject to such terms and conditions as may be specified by the Regulations. Regulation No. 3 of the Information Technology (Certifying Authority) Regulations, 2001 says that every licence to issue Electronic
Signature Certificates shall be granted under the Act subject to the terms and conditions narrated therein, which are as under: (a) The licence shall be valid for a period of five years from the date of issue. (b) The licence shall not be transferable or heritable. (c) The Controller can revoke or suspend the licence in accordance with the provisions of the Act. (d) The Certifying Authority shall be bound to comply with all the parameters against which it was audited prior to issue of licence and shall consistently and continuously comply with those parameters during the period for which the licence shall remain valid. (e) The Certifying Authority shall subject itself to periodic audits to ensure that all conditions of the licence are consistently complied with by it. As the cryptographic components of the Certifying Authority systems are highly sensitive and critical, the components must be subjected toperiodic expert review to ensure their integrity and assurance. (f) The Certifying Authority must maintain secure and reliable recordsand logs for activities that are core to its operations. (g) Public Key Certificates and Certificate Revocation Lists mustbe archived for a minimum period of seven years to enable verification of past transactions. (h) The Certifying Authority shall provide Time Stamping Service for its subscribers. Error of the Time Stamping clock shall not be more than 1 in 10 (i) The Certifying Authority shall use methods, which are approved by the Controller, to verify the identity of a subscriber before issuing or renewing and Public Key Certificate. (j) The Certifying Authority shall publish a notice of suspension or revocation of any certificate in the Certificate Revocation List in its repository immediately after receiving an authorized request of such suspension or revocation. (k) The Certifying Authority shall always assure the confidentiality of subscriber information. (1) All changes in Certificate Policy and certification practice statement shall be published on the website of the Certifying Authority and brought to the notice of the Controller well in advance of such publication. However any change shall
not contravene any provision of the Act, rule or regulation or made thereunder. (m) The Certifying Authority shall comply with every order or direction issued by the Controller within the stipulated period. Overall Management and Obligations (a) The Certifying Authority shall manage its functions in accordance with the levels of integrity and security approved by the Controller from time-to-time. (b) The certifying Authority shall disclose information on the assurance levels of the certificates that it issues and the limitations of its liabilities toeach of its subscribers and relying parties. (c) The Certifying Authority shall as approved, in respect Continued of security and risk management controls continuously ensure that security policies and safeguards are in place. Such controls include personnel security and incident handling measures to prevent fraud andsecurity breaches. Certificate and Key Management (a) To ensure the integrity of its digital certificates, the Certifying Authority shall ensure the use of approved security controls in the certificate management processes, i.e., certificate registration, generation, issuance, publication, renewal, suspension, revocation and archival. (b) The method of verification of the identity of the applicant of a Public Key Certificates shall be commensurate with the level of assurance accorded to the certificate. (c) The Certifying Authority shall ensure the continued accessibility and availability of its Public Key Certificates and Certificate Revocation Lists in its repository to its subscribers and relying parties. (d) In the event of a compromise of the private key the Certifying Authority shall follow the established procedures for immediate revocation of the affected subscribers certificates. (e) The Certifying Authority shall make available the information relating to certificates issued and/or revoked
by it to the Controller. (f) The private key of the Certifying Authority shall be adequatelysecured at each phase of its life cycle, i.e., key generation, distribution,storage, usage, backup, archival and destruction. (g) The private key of the Certifying Authority shall be stored in high security module in accordance with FIPS 140-1 level 3 recommendations for Cryptographic Modules Validation List. (h) Continued availability of the private key be ensured through approved backup measures in the event of loss or corruption of its private key. (i) All submissions of Public Key Certificates and Certificate Revocation Lists to the Controller must ensure that subscribers and relying parties are able to access the National Repository using LDAP version 3 for X.500 Directories. (j) The Certifying Authority shall ensure that the subscriber can verify the Certifying Authoritys Public Key Certificate, if he chooses to do so, by having access to the Public Key Certificate of the Controller. Systems and Operations (a) The Certifying Authority shall prepare detailed manuals for performing all its activities and shall scrupulously adhere to them. (b) Approved access and integrity controls such as intrusion detection,virus scanning, prevention of denial of service attacks and physicalsecurity measures shall be followed by the Certifying Authority for all itssystems that store and process the subscribers information andcertificates. (c) The Certifying Authority shall maintain records of all activities andreview them regularly to detect any anomaly in the system. Physical, procedural and personnel security (a) Every Certifying Authority shall get an independent, periodic audit done through an approved auditor. Such periodic audits shall focus on the following issues among
others:(i) changes/additions in physical controls such as site location, access etc.; (ii) re-deployment of personnel from an approved role/task to a new one; (iii) appropriate security clearances for outgoing employees such as deletion of keys and all access privileges; (iv) thorough background checks, etc., during employment of new personnel. (b) The Certifying Authority shall follow approved procedures to ensure that all the activities referred to in (i) to (iv) in sub-regulation (a) are recorded properly and made available during audits. Financial (a) Every Certifying Authority shall comply with all the financial parameters during the period of validity of the licence, issued under the Act. (b) Any loss to the subscriber, which is attributable to the Certifying Authority, shall be made good by the Certifying Authority. Compliance Audits (a) The Certifying Authority shall sulject itself to Compliance Audits that shall be carried out by one of the empanelled Auditors duly authorized by the Controller for the purpose. Such audits shall be based on the Internet Engineering Task Force document RFC 2527- internet X. 509 PKI Certificate Policy and Certification Practices Framework. 22. Application for license. -(1) Every application for issue of a license shall be in such form as may be prescribed by the Central Government. (2) Every application for issue of a license shall be accompanied by(a) A certification practice statement; (b) A statement including the procedures with respect to identification of the applicant; (c) Payment of such fees, not exceeding twentyfive thousand rupees as may be prescribed by the Central Government; (d) Such other documents, as may be prescribed by the Central Government.
A prospective CA has to establish the required infrastructure, get it audited by the auditors appointed by the office of Controller of Certifying Authorities, and only based on complete compliance of the requirements, a license to operate as a Certifying Authority can be obtained. The license is issued by the Controller of Certifying Authority, Ministry of Information Technology, Government of India. For operating as a licensed Certifying Authority under the IT Act, 2008; an application has to be made to the Controller of Certifying Authorities as stipulated under Section 21 of the IT Act. The application form for grant of license prescribed under Rule 10 of the IT Act has to be submitted to the Controller of Certifying Authorities. Before submitting the application however, the applicant is expected to have the entire infrastructure - technical, physical, procedural and manpower - in place. On receipt of the application and after examination of the same along with the supporting documents, CCA will depute an empanelled auditor based on whose audit report a decision will be taken on whether a license can be granted to the applicant to operate as a Certifying Authority under the IT Act 2000. In case non-compliances to the requirements of the IT Act, its Rules & Regulations are observed during the audit, the applicant will be required to take corrective action and be subject to audit once again for further examination for grant of licence. In addition to the documents listed in Rule 10, the following documents, among others, are required to be furnished, along with the application form. 1. Company Profile/Experience of Individuals; 2. For an individual, proof of capital of Rs. 5 crores or more in his business or profession; 3. For a company/firm; 4. proof of paid-up capital not less than Rs. 5 crores; 5. proof of net worth not less than Rs. 50 crores; 6. Proof of Equity (Proof that equity share capital held in aggregate by NRIs, FIIs or foreign companies does not exceed 49% of its capital); 7. An undertaking to submit Performance Bond or Bankers Guarantee valid for six years from a scheduled bank for an amount not less than Rs. 5 crores in accordance with Rule 10(ii)(h) of the IT Act;
8. Crossed cheque or bank draft for Rs. 25,000/- (for fresh application) or Rs.5,000/- (for renewal) in favour of the Pay & Accounts Officer, DIT, New Delhi. Both fees are non-refundable; 9. Certified true copies of the companys incorporation, articles of association etc.; 10. Original business profile report with certification from Registrar of Companies; 11. Audited accounts for the past 3 years (if applicable); 12. The CAs Certification Practice Statement (CPS) as laid down in Annexure I to these Guidelines; 13. Technical specifications of the CA system and CA security policies, standards and infrastructure available/proposed and locations of facilities; 14. Information Technology and Security Policy proposed to be followed by the CA in its operations under Rule 19; 15. Statement addressing the manner in which the CA shall comply with the requirements stipulated in the IT Act, Rules and Regulations; 16. Organisational chart and details of all trusted personnel; 17. Date by which the applicant will be ready for audit to start. The application shall be deemed to have been received on this date for processing purposes; 18. Date by which commencement of CA operations is proposed. Operations can only commence after due compliance with Rule 20; 19. An undertaking by the applicant that they will make payment to the Auditor appointed by the CCA at the rate to be prescribed by the CCA; 20. The Controller reserves the right to call for any other information that may be required to process the application; Section 23: Renewal of license An application for renewal of a license shall be (a) In such form; (b) Accompanied by such fees, not exceeding five thousand rupees, as may be prescribed by the Central Government and shall be made not less than forty-five days before the date of expiry of the period of validity of the license License can be renewed before the 45 days of expiry date of 5
years. Renewal fees is 5000/-. After the expiry of the date, late fee will be collected in addition to the renewal fee. Rule 15(1) of the Information Technology (Certifying Authorities) Rules, 2000 laid down that the provisions of rules 8 to 13 shall apply in the case of an application for renewal of a licence as it applies to a fresh application. It means an individual or a company or a firm or the Government will have to apply for renewal of licence in [he form given in Schedule I, and shall have to enclose all the documents mention in rule 10. The renewal application shall be accompanied by a non-refundable fees of Rs. 25000 payable by Bank draft or by a pay order drawn in the name of the Controller. The renewed licence shall be valid for a period of 5 years from the date of issue. Section 24: Procedure for grant or rejection of license-The Controller may, on receipt of an application under sub-section (1) of section 21, after considering the documents accompanying the application and such other factors, as he deems fit, grant the license or reject the application: Provided that no application shall be rejected under this section unless the applicant has been given a reasonable opportunity of presenting his case. On receipt of the application and after examination of the same along with the supporting documents, CCA will depute an empanelled auditor based on whose audit report a decision will be taken on whether a license can be granted to the applicant to operate as a Certifying Authority under the IT Act 2000. According to the proviso under section 24, the Controller shall not reject any application for the grant of licence unless the applicant has been given a reasonable opportunity of presenting his case. This condition of giving a reasonable opportunity of presenting his case is mandatory and must be complied with by the Controller. The Controller shall give a reasonable opportunity of presenting his case to the person concerned for showing cause against the proposed action for rejection of licence. Section 25: Suspension of License - (1) The Controller may, if he is satisfied after making such inquiry, as he may think fit, that a Certifying Authority has -
(a) Made a statement in, or in relation to, the application for the issue or renewal of the license, which is incorrect or false in material particulars; (b) Failed to comply with the terms and conditions subject to which the license was granted; (c) Failed to maintain the standards specified in Section 30 [Substituted for the words under clause (b) of sub-section (2) of section 20; vide amendment dated September 19, 2002] (d) Contravened any provisions of this Act, rule, and regulation or order made there under, revoke the license: Provided that no license shall be revoked unless the Certifying Authority has been given a reasonable opportunity of showing cause against the proposed revocation. (2) The Controller may, if he has reasonable cause to believe that there is any grounds for revoking a license under sub-section (1), by order suspend such license pending the completion of any enquiry ordered by him: Provided that no license shall be suspended for a period exceeding ten days unless the Certifying Authority has been given a reasonable opportunity of showing cause against the proposed suspension. (3) No Certifying Authority whose license has been suspended shall issue any Electronic Signature7 Certificate during such suspension. Under this section the Controller has been invested with a power to institute an inquiry into the actions of the certifying authority narrated in clauses (a) to (d) of sub-section (1). He has a statutory right to conduct inquiry. An inquiry may be necessary if the certifying authority has made statements which are false in material particulars. Bare reading of sub-sections (1) and (2) together, brings forward that the Controller is required to take following steps before any revocation of the licence (a) giving a reasonable opportunity of showing cause against the proposed suspension of licence;
(b) Inquiry against the actions taken by certifying authority; (c) suspension of licence pending the completion of any inquiry ordered by him; (d) giving a reasonable opportunity of showing cause against the proposed revocation of licence; (e) revocation of the licence. Giving a reasonable opportunity of showing cause against the proposed suspension of licence If the Controller of certifying authorities has a proposal before him for the suspension of licence of a certifying authority, he shall take first step of giving a notice to the certifying authority that it is proposed to suspend the licence and therefore, a reasonable opportunity of showing cause against the proposed suspension of licence was being given. This conclusion follows from the words unless the certifying authority has been given a reasonable opportunity of showing cause against the proposed suspension used in the proviso to sub-section (2). Inquiry against the actions taken by certifying authority The Controller has been given a power of inquiry against the certifying authority if the certifying authority has taken any of the following steps as per sub-section (1), clauses (a) to (d): (i) made statement in the application for the issue of the licence, which is incorrect or false in material particulars; (ii) failed to comply with the terms and conditions subject to which the licence was granted; (iii) failed to maintain the procedures and standards specified in section 30; (iv) contravened any provisions of this Act, rule, regulation or order made thereunder. The inquiry could be ordered by the Controller suomoto at any time and on any information the Controller likes. The Controller has been given powers of supervision over the activities of the certifying authority under section 18(a) and therefore he has also a power to hold inquiry into the working of the certifying authority. The Controller shall communicate the result of such inquiry to the Certifying authority. No statutory period has been prescribed under the section within
which inquiry should be completed: There is no statutory period either under the Act or the rules made there under within which the inquiry should be completed. In fact that is not the intention of the section, the inquiry may be completed or may not be completed within such time as may be specified in the order. The Controller may entrust the inquiry to the Dy. Controller or the Assistant Controller. If the inquiry cannot be completed within the time specified in the order, the Controller may entrust it to such other person as he may deem fit. Suspension of licence pending the completion of any inquiry ordered by him Sub-section (2) provides that the Controller may, if he has reasonable cause to believe that there is any ground for revoking a licence under sub-section (1), he may by order suspend the licence pending the completion of any inquiry ordered by him. If a notice about the reasonable opportunity of showing cause against the proposed suspension has not been given to the certifying authority, the Controller cannot suspend a licence for a period exceeding ten days. Giving a reasonable opportunity of showing cause against the proposed revocation of licence The revocation of licence is the last step which can be taken against a licence holder. Therefore before any such step could be taken, the Controller will have to inform the certifying authority that the licence is proposed to be revoked. He will also give a reasonable opportunity of showing cause against the proposed revocation of licence. The certifying authority may produce documents showing that such a harsh step is not required to be taken against it. The Controller may not give personal hearing but reasonable opportunity must be given to the certifying authority for presenting its case against the proposed revocation. If the Controller has revoked the licence without giving such a notice and opportunity to the certifying authority, the order for revocation will be liable to be struck down by the court of law. Revocation of the licence If the result of the inquiry conducted by the Controller gives a satisfaction to the Controller that any statement made in the application for the issue of licence was incorrect or false in material particulars, he may revoke the licence. If the certifying authority has failed to comply with the terms and conditions subject to which the
licence was granted and this is proved so in the inquiry, the Controller may revoke the licence. Similarly if the certifying authority has failed to maintain the procedures and standards specified in section 30 or has contravened any of the provisions of the Act, rule, regulation or order made thereunder and this is proved beyond doubt during inquiry, the Controller may revoke the licence. However, Rule 14(2) of the Information Technology (CA) Rules, 2000 has laid down an additional condition on the basis of which the licence may be suspended. It says that the licence granted to an individual, or company or firm shall stand suspended when (a) the performance bond submitted, or (b) bankers guarantee furnished by the individual, company or firm is invoked under sub-rule (2) of rule 8, Sub-rule (2) of rule 8 says that an individual, or a company, or a firm shall furnish a performance bond in the form of a bankers guarantee from a scheduled bank in favour of the Controller in such form and in such manner as may be approved by the Controller for an amount of not less than five crores of rupees and the performance bond or bankers guarantee shall remain valid for a period of six years from the date of its submission. The first proviso to sub-rule (2) says that the company or firm shall furnish a performance bond in the form of a bankers guarantee for ten crores of rupees. The second proviso to sub-rule (2) further says that nothing in the first proviso shall apply to the company or firm after it has acquired or has its net worth of fifty crores of rupees. Clause (d) of sub-section (1) of section 25 also says that contravention of any rule will be a ground for the revocation of the licence. Therefore, if there is a revocation of this condition, the Controller can take action under section 25. The sub-section (4) has put prohibition on the issue of electronic signature certificate by the Certifying Authority during the period of suspension of licence. Section 26: Notice of suspension or revocation of license - (1) Where the license of the Certifying Authority is suspended or revoked, the Controller shall publish notice of such suspension or revocation, as the case may be, in the data-base maintained by him. (2) Where one or more repositories are specified, the Controller shall publish notices of such suspension or re-
vocation, as the case may be, in all such repositories. Provided that the data-base containing the notice of such suspension or revocation, as the case may be, shall be made available through a web site which shall be accessible round the clock. Provided further that the Controller may, if he considers necessary, publicize the contents of the data-base in such electronic or other media, as he may consider appropriate. The action taken by the Controller against the certifying authority must be made known to all concerned persons. Therefore, provision has been made for issuing a notice by the Controller about the suspension or revocation of the licence of certifying authority. This sub-section says that publication of notice shall be made in the database maintained by the Controller. The term Database means a representation of information, knowledge, facts etc., that are being prepared or have been prepared in a formalized manner or have been produced by a computer, computer system or computer network and are intended for use in a computer, computer system or computer network. No person is entitled to download or to take copy or extract from the computer database without the permission of the owner of the computer, computer system or computer network. The violator of this rule is liable to a heavy penalty under section 43. Therefore, under this sub-section the Controller has been authorized to publish a notice of suspension or revocation in the database maintained by him and not the database maintained by the certifying authority. A database of electronic signature certificates and other relevant information accessible on-line is known as the repositories. The Controller shall publish notice of suspension or revocation of the licence of certifying authorities in ali repositories. After the deletion of section 20, the Controller is no more the repository of electronic signature certificates. This work has been given to the Certifying Authorities under section 30. Any subscriber desirous of obtaining digital signature certificate will have to submit the application to the Certifying Authority in a form prescribed by the Central Government. This section provides for the Certifying Authority to certify while issuing a Digital Signature Certificate that it has complied, with the provisions of the Act, the rules and regulations made there under and also with other condi-
tions mentioned in the Digital Signature Certificate. However, Section 34(l) (c) has also put a duty on the certifying authority to disclose about the notice of the suspensions or revocation of its certifying authority in the manner specified by the regulations. Section 27: Power to delegate- The Controller may, in writing, authorise the Deputy Controller, Assistant Controller or any officer to exercise any of the powers of the Controller under this Chapter. Due to the vast length and berth of the country, it is not possible for a single Controller to exercise his powers as efficiently as possible. He may, therefore, by general or special written order, confer on the Deputy Controller, Assistant Controller or any officer, any of his powers specified under this chapter. The powers of the Controller under this Chapter may be summarized as under: 1. To recognise foreign certifying authorities, (section 19) 2. To grant licence to issue electronic/digital signature certificates or to reject the application for grant of licence, (sections 21 and 24) 3. To suspend or revoke the licence and to publish notice for such suspension or revocation of licence, (sections 25 and 26) 4. To investigate into any contravention of the provisions of this Act, rules or regulations made thereunder by exercising powers conferred on Income-tax authorities, (section 28) 5. To have access to computer system or data for searching any information or data, (section 29) When such powers are conferred on any person under this Act, such person shall exercise those powers and act as Controller in the matters connected with such powers. The Controller may by general order authorize all the Deputy Controllers to exercise any of his powers conferred on him. The Controller may by special order authorize any one Deputy Controller to exercise any of his powers. It is a principle of law that subsequent general order shall not prevail over the previous special order, unless the intention to do so is clearly manifested. A general order cannot be impliedly cancelled, by a subsequent special order issued by the Controller, unless it is proved that the Controller had in mind its own general order when it made the special order. Powers should not be
delegated by name, they should be delegated by designation. Although the Act maintains a distinction between a Controller and the Deputy Controller or Assistant Controller under section 17(3), yet this section has empowered the Controller to delegate his powers on any of his subordinate officers. Once the Statute has authorised the Controller to confer by notifications those powers which have been entrusted to him, on the officers and such notifications have been duly made, it cannot be said that the powers which were entrusted to the Controller cannot be exercised by the officer so authorised. If such officer passes any order it cannot be said, that such officer has acted beyond his jurisdiction. Section 28: Power to investigate contraventions -(1) The Controller or any officer authorised by him in this behalf shall take up for investigation any contravention of the provisions of this Act, rules or regulations made there under. (2) The Controller or any officer authorised by him in this behalf shall exercise the like powers which are conferred on Income-tax authorities under Chapter XIII of the Income-tax Act, 1961 and shall exercise such powers, subject to such limitations laid down under that Act. Controller has power to investigate in any person and things go opposite to the act. He can inspect records of company and seize. If the controller is under the doubt and have suspect, he can check the computer system, computer networks, data, apparatus and other material connected to the computer system. This section empowers the Controller to take-up for investigation any contravention of the provisions of this Act, rules or regulations made there under. The Controller may delegate his power of investigation to any Deputy or Assistant Controller or may authorize any officer to investigate into any such contravention. This provision is silent as to against which category of persons the investigation will be done. The following category of persons are connected with the application and enforcement of the Act, rules and regulations: a. Certifying Authority, b. Subscriber, c. Incharge of computer, computer system or computer network,
d. Employee of a person who operates the computer, computer system or computer network, e. Any company firm or agency connected with the software relating to website, f. Any company in which the Government is a major shareholder, g. Originator, h. Intermediary, i. Addressee, This section is also silent about the basis of commencement of the investigation. Whether the Controller will start investigation on the basis of any complaint, application or information or any direction of the Central Government or he will be able to start investigation suomoto on the basis of his own information. This power of Controller is not controlled by any other power, but his functions are subject to the general control and directions of the Central Government. Sub-section (1) does not, in express terms, authorise the Controller to order an investigation on his own motion. In case of any complaint or application, the Controller will have discretion to order an investigation, although he must exercise such discretion having regard to the purposes of the Act. Sub-section (1) of section 29 says that if the controller has reasonable cause to suspect that any contravention has been committed, he shall have a power of access to the computer system. It means there must be some material before the Controller, which may give birth to reasonable cause to suspect that any contravention of the provision has been committed. The fulfillment of this requirement is a condition precedent before the commencement of the work relating to (i) access or (ii) search by the Controller. If the certifying authority is misusing the licence granted to him, the Controller can investigate contravention of provisions of the Act, Rules and Regulations. It cannot be said that there was no objective basis for the Controller to exercise his discretionary power. But this power should only be exercised in cases where the entire working of the certifying authority or subscriber or any other person is against the statute. As per Sub-section (2); In order to investigate any contravention of the provisions of this Act, Rules or Regulations made there under, the Controller shall exercise like powers of Income Tax Authorities
under Chapter-XIII of the Income-tax Act, 1961, The Income Tax Authorities have been conferred the following powers under Chapter XIII of Income Tax Act: Power regarding discovery, production of evidence, etc8 The Controller or any Officer authorized by him in this behalf, shall for the purposes of this Act, have the same powers as are vested in a court under the Code of Civil Procedure, 1908 (5 of 1908), when trying a suit in respect of the following matters, namely: a. discovery and inspection; b. enforcing the attendance of any person, including any officer of a banking company and examining him on oath; c. compelling the production of books of account and other documents; and d. issuing commissions. Power regarding Search and seizure9 If the Controller or any Officer authorized by him in this behalf, in consequence of information in his possession, has reason to believe that a. any person to whom a summons was issued to produce, or cause to be produced, any books of account or other documents has omitted or failed to produce, or cause to be produced, such books of account, or other documents as required by such summons or notice, or b. any person to whom a summons or notice as aforesaid has been or might be issued will not, or would not, produce or cause to be produced, any books of account or other documents which will be useful for, or relevant to, any proceeding under this Act, or then, the Controller or any other officer authorized by him may(i) enter and search any building, place, vessel, vehicle or aircraft where he has reason to suspect that such books of account, other documents, money, or other valuable article or thing are kept; (ii) break open the lock of any door, box, locker, safe, almirah or other receptacle for exercising the powers conferred by clause (i) where the keys thereof are not available; (iii) search any person who has got out of, or is about to get into, or is in, the building, place, vessel, vehicle
or aircraft, if the authorized officer has reason to suspect that such person has secreted about his person any such books of account, other documents, money, or other valuable article or thing; (iv) seize any such books of account, other documents, money, or other valuable article or thing found as a result of such search; (v) place marks of identification on any books of account or other documents or make or cause to be made extracts or copies there from; (vi) make a note or an inventory of any such money, or other valuable article or thing. Power to requisition books of account, etc10 Where the Controller or any Officer authorized by him in this behalf, in consequence of information in his possession, has reason to believe that a. any person to whom a summons was issued to produce, or cause to be produced, any books of account or other documents has omitted or failed to produce, or cause to be produced, such books of account or other documents, as required by such summons or notice and the said books of account or other documents have been taken into custody by any officer or authority under any other law for the time being in force, or b. any books of account or other documents will be useful for, or relevant to, any proceeding under this Act and any person to whom a summons or notice as aforesaid has been or might be issued will not, or would not, produce or cause to be produced, such books of account or oilier documents by any officer or authority by whom or which such books of account or other documents have been taken into custody under any other law for the time being in force, or c. any assets represent either wholly or partly income or property which has not been, or would not have been, disclosed for the purposes of this Act by any person from whose possession or control such assets have been taken into custody by any officer or authority under any other law for the time being in force, then, the Controller any Officer authorized by him in this behalf shall require to deliver such books of account, other documents or
assets to the requisitioning officer either forthwith or when such officer or authority is of the opinion that it is no longer necessary to retain the same in his or its custody Power to call for information11 The Controller or any officer authorized by him in this behalf may, for the purposes of this Act, (1) require any firm to furnish him with a return of the names and addresses of the partners of the firm and their respective shares; (2) require any Hindu undivided family to furnish him with a return of the names and addresses of the manager and the members of the family; (3) require any person whom he has reason to believe to be a trustee, guardian or agent, to furnish him with a return of the names of the persons for or of whom he is trustee, guardian or agent, and of their addresses; (4) require any assessee to furnish a statement of the names and addresses of all persons to whom he has paid in any previous year rent, interest, commission, royalty or brokerage, or any annuity, not being any annuity taxable under the head Salaries amounting to more than one thousand rupees, or such higher amount as may be prescribed, together with particulars of all such payments made; (5) require any dealer, broker or agent or any person concerned in the management of a stock or commodity exchange to furnish a statement of the names and addresses of all persons to whom he or the exchange has paid any sum in connection with the transfer, whether by way of sale, exchange has received any such sum, together with particulars of all such payments and receipts; (6) require any person, including a banking company or any officer thereof, to furnish information in relation to such points or matters, or to furnish statements of accounts and affairs verified in the manner specified by the Controller. Power of survey12 The Controller or any officer authorized by him in this behalf may enter a. any place within the limits of the area assigned to him, or b. any place occupied by any person in respect of whom he
exercises jurisdiction, or c. any place in respect of which he is authorized for the purposes of this section by such Income-tax Authority, who is assigned the area within which such place is situated or who exercises jurisdiction in respect of any person occupying such place, at which a business or profession is carried on, whether such place be the principal place or not of such business or profession, and require any proprietor, employee or any other person who may at that time and place be attending in any manner to, or helping in, the carrying on of such business or profession i. to afford him the necessary facility to inspect such books of account or other documents as he may require and which may be available at such place, ii. to afford him the necessary facility to check or verify the cash, stock or other valuable article or thing which may be found therein, and iii. to furnish such information as he may require as to any matter which may be useful for, or relevant to, any proceeding under this Act. Power to collect certain information13 The Controller or any other officer authorized by him in this behalf may, for the purpose of collecting any information which may be useful for, or relevant to, the purposes of this Act, enter a. any building or place within the limits of the area assigned to such authority, or b. any building or place occupied by any person in respect of whom he exercises jurisdiction, at which a business or profession is carried on, whether such place be the principal place or not of such business or profession, and require any proprietor, employee or any other person who may at that time and place be attending in any manner to, or helping in, the carrying on of such business or profession to furnish such information as may be prescribed. Power to inspect registers of companies14 The Controller or any other officer authorized by him in this behalf may take copies, or cause copies to be taken, of any register of the members, debenture-holders or mortgages or any company or of any entry in such register. Power to make an enquiry15 The Controller or any other officer authorized by him in this be-
half shall be competent to make any enquiry under this Act, and for this purpose shall have all the powers that an Assessing Officer has under the Income-tax Act in relation to the making of enquiries. Proceedings before the Controller to be judicial proceedings for limited purposes16 Any proceeding under this Act before the Controller or any other Officer authorized by him in this behalf shall be deemed to be a judicial proceeding within the meaning of sections 193 and 228 of the Income-tax Act and for the purposes of section 196 of the Indian Penal Code, 1860, and the Controller or any other officer authorized by him in this behalf shall be deemed to be a Civil Court for the purposes of section 195, but not for the purposes of Chapter XXVI, of the Code of Criminal Procedure, 1973. Section 29: Access to computers and data-(1) Without prejudice to the provisions of sub-section (1) of section 69, the Controller or any person authorised by him shall, if he has reasonable cause to suspect that any contravention of the provisions of this chapter made there under has been committed, have access to any computer system, any apparatus, data or any other material connected with such system, for the purpose of searching or causing a search to be made for obtaining any information or data contained in or available to such computer system. (2) For the purposes of sub-section (1), the Controller or any person authorised by him may, by order, direct any person in charge of, or otherwise concerned with the operation of the computer system, data apparatus or material, to provide him with such reasonable technical and other assistant as he may consider necessary. The words Without prejudice to the provisions of sub section (1) of section 69 suggest that the action under section 29 shall be in addition to the action which may be taken under section 69(1). Therefore, the Controller may take action if he has reasonable cause to suspect that any contravention of the provisions of this Chapter has been committed. Before any action can be taken by the Controller under this section, there must be some material before the Controller which may give reasonable cause to suspect that any contravention of the
provisions of this chapter (Chapter VI) has been committed by a person. If reasonable suspicion has not taken birth in the mind of the Controller, he cannot take action against any person. Reasonable cause to suspect is a condition precedent for taking any action under sub-section (1) of section 29. If the Controller has reasonable cause to suspect that any contravention of the provisions of this chapter has been committed, he shall have the access to (i) any computer system (ii) any apparatus, (iii) any data or (iv) any other material connected with such system. This wide power was considered necessary so as to prevent the contravention of the provisions of this Chapter. The power of access includes power to gain entry into the logical, arithmetical or memory function resource of a computer, computer system or computer network. The Controller can instruct orcommunicate with any such functions so as to confirm the suspicion about the contravention of the provisions of this chapter. The power of search is a very wide power conferred on the Controller. This power is linked with the responsibility on the Controller that no harassment is caused to the person concerned during the search operation. The purpose of the search must be to obtain any required information or data only. Therefore the search operation should be restricted to the computer, computer system or computer network or any of the hardware or software relating to the computer or paper based records, documentation and back up data containing general information or confidential information. If any contravention of the provisions of this Chapter is found during search operation, the Controller shall have an access to the computer system. Rule 34 of the Information Technology (Certifying Authorities) Rules, 2000 deals with the access to confidential information. It has permitted access to confidential information by Certifying Authoritys operational staff on a need-to-know and need-to-use basis. The Controller may authorize the Certifying Authoritys operational staff to conduct search of the confidential information. Rule 34(3) has provided that the confidential information shall not be taken out of the country except with the permission of the Controller.
However, as per Sub-section (2), Controller may Direct any Person in Charge to Provide him with such Reasonable Technical and other Assistance; For the purposes of doing search under subsection (1) of section 29, the Controller has been given a power to direct (i) any person in-charge of the operation of the computer system, data operations and material or (ii) any person otherwise concerned with the operation of the computer system, data operations and material, to provide him a. with such reasonable technical assistance as he may consider necessary or b. with such reasonable other assistance as he may consider necessary. Section 30: Certifying Authority to follow certain procedures- Every Certifying Authority shall(a) Make use of hardware, software, and procedures that are secure from intrusion and misuse: (b) Provide a reasonable level of reliability in its services which arc reasonably suited to the performance of intended functions; (c) Adhere to security procedures to ensure that the secrecy and privacy of the Electronic Signature17 are assured; (ca) be the repository of all Electronic Signature18 Certificates issued under this Act;19 (cb) publish information regarding its practices, Electronic Signature20 Certificates and current status of such certificates;21 and (d) Observe such other standards as may be specified by regulations. According to section 30, the Certifying Authority shall follow the following procedure: Clause (a) has made it mandatory to make use of such hardware or software which are secure from intrusion and misuse. It has further directed the Certifying Authority to make use of such procedure, which is secure from (i) intrusion and (ii) misuse. The intention is to compel the certifying authority to make use of such computer hardware, software, and procedure that
a. are reasonably secure from unauthorized access, intrusion and misuse; b. provide a reasonable level of reliability and correct operation; c. are reasonably suited to performing the intended function; and d. adhere to generally accepted security procedures. While defining the term security in Schedule V of Information Technology (Certifying Authorities) Rules, 2000, it has been said that absolute security is impossible to achieve in practice and the quality of a given security system is relative. Within a state-model security system, security is a specific slate to be preserved under various operations. Clause (b) is also mandatory. The certifying authority shall provide such services which (i) have a reasonable level of reliability, and (ii) are reasonably suited to the performance of intended function. Section 40(1) (d) has made it obligatory on the part of the certifying authority to disclose about its ability to perform its services. Rule 21(1) of the Rules lays down that before ceasing to act as a Certifying Authority, a Certifying Authority shall make a reasonable effort to ensure that discontinuing its certification services causes minimal disruption to its subscribers and person duly needing to verify digital signatures by reference to the public keys contained in outstanding Digital Signature Certificates. Rule 5.5(1) of the Information Technology (IT) Security Guidelines provides that prevention; detection and deterrence measures shall be implemented to safeguard the security of computers and computer information from misuse. The measures taken shall be properly documented and reviewed regularly. When the Act was enacted, under sections 20 and 30 of the Act responsibility has been laid down on the Controller and the Certifying Authority respectively to adhere to the security procedures and ensure the secrecy of the digital or electronic signature. Thereafter in 2008, section 20 was omitted. Thereafter under section 30(c) it is the duty of the Certifying Authority to ensure that not only the secrecy of the electronic signatures but the security of the electronic signatures are assured. For this purpose the Certifying Authority has been empowered
to make use of hardware, software and procedures that are secure from intrusion and misuse. Under section 30, the Certifying Authority has been directed to follow certain procedures. Clause (c) says that the certifying authority shall adhere to security procedure to ensure that (i) secrecy of the electronic signature and (ii) privacy of electronic signature are assured. The privacy of the electronic signature is known to the Certifying Authority and if the Certifying Authority or any person has secure access to it and has committed a breach of confidentiality and privacy, he shall be punished under section 72. According to rule 25(iii) of the Information Technology (Certifying Authorities) Rules, 2000 it has been made mandatory for the Certifying Authority that before the issue of the Digital Signature Certificate, he shall comply with all privacy} requirements. If the subscribers data are under the custody of the Certifying Authority; Rule 22(1) of Security Guidelines for Certifying Authorities lays down that in order to protect the privacy of the subscribers data the Certifying Authority shall implement the procedures and security controls. Similarly confidential Information provided by the subscriber must not be disclosed to a third party without the subscribers consent, unless the information is required to be disclosed under the law or a court order. Rule 22(2) of the said guidelines also lays down that data on the usage of the Digital Signature Certificates by the subscribers and other transactional date relating to the subscribers activities generated by the Certifying Authority in the course of its operation shall be protected to ensure the subscribers privacy. The clause (ca) was inserted by amendment in 2008. Before this amendment, the Controller of the Certifying Authorities was the repository of all digital signature certificates under section 20 of this Act. That section has now been deleted and now the Certifying Authority has been made the repository of all electronic signature certificates. Such certificates are to be issued by certifying authority under section 24 of this Act. What is repository? A data base of electronic signature certificates and other relevant information accessible online is known as repository. The Certifying Authority shall keep such data base of electronic signature certificates.
The clause (cb) was inserted by amendment in 2008 alongwith clause (ca). Every certifying authority shall publish information on the website or otherwise regarding the (i) practices, (ii) electronic signature certificates and (iii) the current status of such certificates. Section 30 has laid down a mandatory condition that the Certifying Authority shall observe such other standards as may be prescribed. The Central Government has prescribed the standards under Rule 6 of the Information Technology (Certifying Authority) Rules, 2000. Rule 7 of the above Rules lays down that all electronic Signature Certificates issued by the Certifying Authorities shall conform to ITU X. 509 version 3 standard as per rule 6 and shall inter alia contain the data laid down in clauses (a) to (f) of the Rule 7. The Certifying Authority shall ensure that the secrecy and security of the digital signatures are assured. Under section 30(d), the Certifying Authority shall also observe such other standards as may be specified by regulations. Regulation 4 of the Information Technology (Certifying Authorities) Regulations, 2001 has laid down in detail the standards to be followed by the Certifying Authority for carrying out different activities associated with its functions. The details of such standards are available in clauses (a) to (k) of sub-section (1) of regulation 4. Section 31: Certifying Authority to ensure compliance of the Act, etc. -Every Certifying Authority shall ensure that every person employed or otherwise engaged by it complies, in the course of his employment or engagement, with the provisions of this Act, rules, regulations and orders made thereunder. Duty of Certifying Authority to Ensure Compliance of the Act, Rules, Regulations etc. by its Employees There are two main officers under the Act i.e., (i) the Controller of Certifying Authorities and (ii) the Certifying Authorities. It is the duty of every certifying authority to ensure that: (i) every person employed or otherwise engaged by it complies with the provisions of this Act, rules, regulations and orders
made thereunder, (ii) every person employed by him, complies in the course of his employment or engagement, with the provisions of this Act, rules, regulations and orders made thereunder. His employees have to make use of hardware, software, and procedures that are secure from intrusion and misuse and to adhere to security procedures to ensure that the secrecy and privacy of the electronic signature is assured. Section 32: Display of license - Every Certifying Authority shall display its license at a conspicuous place of the premises in which it carries on its business. It is the duty of the Certifying Authority to display its licence at a prominent place of his business premises so that the subscribers or other persons who are dealing with him are aware of it. The licence to the Certifying Authority is granted by the Controller of Certifying Authorities for the purposes of issuing electronic/digital signature Certificates. Section 33: Surrender of license-(1) Every Certifying Authority whose license is suspended or revoked shall immediately after such suspension or revocation, surrender the license to the Controller. (2) Where any Certifying Authority fails to surrender a license under sub-section (1), the person in whose favor a license is issued, shall be guilty of an offense and shall be punished with imprisonment which may extend up to six months or a fine which may extend up to ten thousand rupees or with both. Section 25 deals with the suspension and revocation of licence. This section says that after suspension of the licence, the certifying authority shall surrender the licence to the Controller immediately. Combine effect of these two sections; there are two stages for taking action against the certifying authority. The first is the suspension of licence by the Controller and the second stage is the revocation of the licence. If the Controller has taken the first step of suspension of licence, and started an inquiry against the certifying authority, there is every likelihood that the licence may not be revoked.
Failure to Surrender the Licence is a Punishable Offence Although there is separate chapter on offences under this Act, still sub-section (2) has prescribed punishment to the persons who are guilty of committing an offence under section 33. The certifying authority shall be punished, with imprisonment which may extend to six months or a fine which may extend up to ten thousand rupees or with both. The non-compliance of directions by the Controller has been declared an offence under section 68. The only condition under section 68(2) is that such noncompliance must have been done by the Certifying Authority or his employee intentionally or knowingly. If the Certifying Authority fails to surrender the licence intentionally or knowingly, his act will become an offence under sections 33 and 68 of this Act. Section 34: Disclosure - (1) Every Certifying Authority shall disclose in the manner specified by regulations (a) Its Electronic Signature22 Certificate (b) Any certification practice statement relevant thereto; (c) Notice of revocation or suspension of its Certifying Authority certificate, if any; and (d) Any other fact that materially and adversely affects either the reliability of a Electronic Signature23 Certificate, which that Authority has issued, or the Authoritys ability to perform its services. (2) Where in the opinion of the Certifying Authority any event has occurred or any situation has arisen which may materially and adversely affect the integrity of its computer system or the conditions subject to which a Electronic Signature24 Certificate was granted, then, the Certifying Authority shall(a) Use reasonable efforts to notify any person who is likely to be affected by that occurrence; or (b) Act in accordance with the procedure specified in its certification practice statement to deal with such event or situation. This section means that the regulations shall lay down in detail the manner in which the certifying authority shall disclose (i) its electronic signature certificate
(ii) any Certification Practice Statement (CPS) which is issued by a Certifying Authority to specify the practices that the Certifying Authority employs in issuing electronic Signature Certificates, (iii) notice of the revocation or suspension of its certifying authority certificate and (iv) any other fact that materially and adversely affects the reliability of a electronic signature certificate or the certifying authoritys ability to perform its services. Instead of laying down the manner in which the certifying authority shall disclose the electronic signature certificate etc., what the Information Technology (Certifying authority) Regulations, 2001 did through regulation 5(1) is that it has made a verbatim copy of clauses (a) to (d) of section 34 of the Act. Regulation 5(2) provides that the Certifying Authority shall make disclosure of the above record to the Controller through filling up of on-line forms on the web site of the Controller on the date and time the information is made public. The Certifying Authority shall electronically sign the information. On the other hand section 26(2) says that the Controller shall publish the notice of suspension or revocation of the licence of certifying authorities in all the repositories. The first proviso to sub-section (2) of section 26 has made it mandatory for the Controller to make available the database containing the notice of suspension or revocation through awebsite which shall be accessible round the clock. As per the sub-section (2); After the issue of licence, if there is any change in the necessary requirements for the grant of licencee.g., qualification, expertise, manpower, financial resources and other infrastructure facilities, it may materially and adversely affect the integrity of the computer system., as section 21(2) says that these are necessary for the grant of licence to issue electronic signature certificate. If such an event has occurred or situation has arisen, then the Certifying Authority shall (a) use reasonable efforts to notify any person who is likely to be affected by that occurrence; or (b) act in accordance with the procedure specified in its certification practice statement to deal with such event or situation. Clause (c) of sub-section (3) of section 21 provides that the licence granted by the Controller shall be subject to such terms and
conditions as may be specified by the regulations. Regulation 3 of the Information Technology (Certifying Authority) Regulations, 2001 has laid down the terms and conditions subject to which a electronic signature certificate is to be granted. If such an event has occurred or situation has arisen, then the Certifying authority shall (a) use reasonable efforts to notify any person who is likely to be affected by that occurrence; or (b) act in accordance with the procedure specified in its certification practice statement to deal with such event or situation. It means a statement issued by a Certifying Authority to specify the practices that the Certifying Authority employes in issuing Digital Signature Certificates. According to Rule 28 of the Information Technology (Certifying Authorities) Rules, 2000, the digital signature certificate in operational use become compromise, it shall be revoked in accordance with the procedure defined in the Certification Practice Statement of Certifying Authority. According to Rule 30(2) to (4) no fee is to be levied for access to Certification Practice Statement via Internet. A fee may be charged by the Certifying Authority for providing printed copies of its Certification Practice Statement (CPS). According to section 35(4) on receipt of an application under sub-section (1) of section 35, the Certifying Authority may, after consideration of the certification practice statement or the other statement under sub-section (3) and after making such enquiries as it may deem fit, grant the electronic signature Certificate or for reasons to be recorded in writing, reject the application. References
1. Substitution of words digital signature by words electronic signature by ITAA 2008 2. Substitution of words digital signature by words electronic signature by ITAA 2008 3. Substitution of words digital signature by words electronic signature by ITAA 2008 4. Substitution of words digital signature by words electronic signature by ITAA 2008 5. Substitution of words digital signature by words electronic signature by ITAA 2008 6. The Economic Times 13 April, 2002, p. b. 7. Substitution of words digital signature by words electronic signature by ITAA 2008 8. Refer to section 131 of Income Tax Act, 1961 9. Refer to section 132 of Income Tax Act, 1961
10. Refer to section 132A of Income Tax Act, 1961 11. Refer to section 133 of the Income Tax Act, 1961 12. Refer to section 133A of Income Tax Act, 1961 13. Refer to section 133B of Income Tax Act, 1961 14. Refer to section 134 of Income Tax Act, 1961 15. Refer to section 135 of Income Tax Act, 1961 16. Refer to section 136 of Income Tax Act, 1961 17. Substitution of words digital signature by words electronic signature by ITAA 2008 18. Substitution of words digital signature by words electronic signature by ITAA 2008 19. Inserted by Information Technology (Amendment) Act, 2008 20. Substitution of words digital signature by words electronic signature by ITAA 2008 21. Inserted by Information Technology (Amendment) Act, 2008 22. Substitution of words digital signature by words electronic signature by ITAA 2008 23. Substitution of words digital signature by words electronic signature by ITAA 2008 24. Substitution of words digital signature by words electronic signature by ITAA 2008
CHAPTER VII
ELECTRONIC SIGNATURE1 CERTIFICATES

Section 35: Certifying Authority to issue Electronic Signature2 Certificate (1) Any person may make an application to the Certifying Authority for the issue of a Digital Signature Certificate in such form as may be prescribed by the Central Government. (2) Every such application shall be accompanied by such fee not exceeding twenty-five thousand rupees as may be prescribed by the Central Government, to be paid to the Certifying Authority: Provided that while prescribing fees under sub-section (2) different fees may be prescribed for different classes of applicants. (3) Every such application shall be accompanied by a certification practice statement or where there is no such statement, a statement containing such particulars, as may be specified by regulations. (4) On receipt of an application under sub-section (1), the Certifying Authority may, after consideration of the certification practice statement or the other statement under sub-section (3) and after making such enquiries as it may deem fit, grant the Digital Signature Certificate or for reasons to be recorded in writing, reject the application Provided that no application shall be rejected unless the applicant has been given a reasonable opportunity of showing cause against the proposed rejection. Any subscriber desirous of obtaining electronic signature certificate will have to submit the application to the Certifying Authority
in a form prescribed by the Central Government. Schedule IV attached to the Information Technology (Certifying Authorities) Rules, 2000 a form for application for issue of electronic Signature Certificate prescribed by the Central Government is available. This form is common for the individual applicants, company, firm, body of individuals, association of persons, local authority and Government organisations. It must be accompanied by such fees as may be prescribed by the Central Government. But such fees shall not exceed Rs. 25,000. According to Rule 30(2) to (4) fee may be payable in respect of access to Certifying Authoritys directory for certificate down loading and in respect of access to Certifying Authoritys directory service of certificate of revocation or status information. No fee is to be levied for access to Certification Practice Statement via Internet. A fee may be charged by the Certifying Authority for providing printed copies of its Certification Practice Statement (CPS). The subscriber shall attach either the certification practice statement or a statement containing such particulars as have been specified by the regulations. Sub-section (4); lays down that the Certifying Authority may take following steps before issuing the electronic signature certificate to the subscriber: (i) consideration of Certification Practice Statement (CPS) or other statement i.e., statement containing particulars as may be specified by the regulations; (ii) make enquiries as the Certifying Authority may deem fit; (iii) reject the application after recording in writing the reasons for such rejection. The proviso to sub-section (4) lays down a condition precedent that before rejecting the application, the Certifying Authority must give a reasonable opportunity of showing cause against the proposed rejection. Without giving an opportunity to the applicant to show cause against the proposed rejection of application, the Certifying Authority cannot reject the application. The principles of natural justice would require that the application should not be rejected on any ground unless the applicant is given an opportunity to meet that ground. Clause (b) of Rule 23 has laid down that the certifying authority shall not issue an interim electronic signature certificate. After mak-
ing proper enquiry and satisfying himself, the certifying authority can grant the final electronic signature certificate to the applicant. Section 36: Representations upon issuance of Digital Signature Certificate - A Certifying Authority while issuing a Digital Signature Certificate shall certify that (a) It has complied with the provisions of this Act and the rules and regulations made there under; (b) It has published the Digital Signature Certificate or otherwise made it available to such person relying on it and the subscriber has accepted it; (c) The subscriber holds the private key corresponding to the public key, listed in the Digital Signature Certificate; (ca) the subscriber holds a private key which is capable of creating a digital signature3 (cb) the public key to be listed in the certificate can be used to verify a digital signature affixed by the private key held by the subscriber.4 (d) The subscribers public key and private key constitute a functioning key pair; (e) The information contained in the Digital Signature Certificate is accurate; and (f) It has no knowledge of any material fact, which if it had been included in the Digital Signature Certificate would adversely affect the reliability of the representations made in clauses (a) to (d). Electronic Signature Certificatemeans an Electronic Signature Certificate issued under section 35 and includes Digital Signature Certificate. Section 3 Information Technology Act, 2000; deals with the digital signature certificate, and section 3A deals with the electronic signature certificate. Both these sections are running parallel to each other throughout this Act. This section provides for the Certifying Authority to certify while issuing a Digital Signature Certificate that it has complied with the provisions of the Act, the rules and regulations made thereunder and also with other conditions mentioned in the Digital Signature Certificate.
As has been discussed in the commentary under section 2(q) of the Act relating to the definition of digital signature certificate, Section 2(q) requires amendment. All the conditions mentioned in clause (a) to (f) of section 36 will have to be certified by the Certifying Authority. The requirements of authentication of electronic record by subscriber in all the sub-sections of section 3 are as follows (i) Any subscriber may authenticate an electronic record by affixing his digital signature; (ii) It shall be affected by the use of (a) Asymmetric crypto system and (b) hash function; (iii) Any person by the use of public key of the subscriber can verify the electronic record, and (iv) (iv) the private key and public key are unique to the subscriber. According to Rule 25 of the Information Technology (Certifying Authorities) Rules, 2000, before the issue of the Digital Signature Certificate, the Certifying Authority shall: (i) confirm that the users name does not appear in its list of compromised users; (ii) comply with the procedure as defined in his Certification Practice Statement including verification of identification and/or employment; (iii) comply with all privacy requirements; (iv) obtain a consent of the person requesting the Digital Signature Certificate, that the details of such Digital Signature Certificate can be published on a directory service. Section 37: Suspension of Digital Signature Certificate - (1) Subject to the provisions of sub-section (2), the Certifying Authority which has issued a Digital Signature Certificate may suspend such Digital Signature Certificate (a) on receipt of a request to that effect from (i) the subscriber listed in the Digital Signature Certificate; or (ii) any person duly authorised to act on behalf of that subscriber; (b) if it is of opinion that the Digital Signature Certificate should be suspended in public interest.
(2) A Digital Signature Certificate shall not be suspended for a period exceeding fifteen days unless the subscriber has been given an opportunity of being heard in the matter. (3) On suspension of a Digital Signature Certificate under this section, the Certifying Authority shall communicate the same to the subscriber. In the case of suspension, a temporary hold is placed on the effectiveness of the operational period of a Digital Signature Certificate without permanently revoking the Digital Signature Certificate. A Digital Signature Certificate suspension is invoked by, CRL entry with a reason code. Certificate Revocation List (CRL) Its meaning has been given in the Glossary in Schedule V of the Information Technology (Certifying Authorities) Rules, 2000. The opening words of Sub-section (1) are Subject to the provisions of sub-section (2). The condition under Sub-section (2) says that a Digital Signature Certificate shall not be suspended for a period exceeding fifteen days unless the subscriber has been given an opportunity of being heard in the matter. Giving the opportunity of being heard is a condition precedent for suspending the digital signature certificate for a period exceeding 15 days. There are two conditions on the basis of which the certifying authority can suspend the digital signature certificate. These conditions are as under: (a) on receipt of a request to that effect from (i) the subscriber listed in the Digital Signature Certificate; or (ii) any person duly authorized to act on behalf of that, and subscriber; (b) if it is of opinion that the Digital Signature Certificate should besuspended in public interest. If the Certifying Authority is not satisfied with the fulfillment of-the conditions and is of the opinion that any one of the conditions laid down in sub-section (1) is not satisfied, he shall give an opportunity of being heard to the subscriber before any kind of communication of suspension. The subscriber must be given an opportunity of being heard. If the certifying authority is misusing the licence granted to him, the Controller can investigate contravention of provisions of the Act, rules and regulations. It cannot be said that
there was no objective basis for the Controller to exercise his discretionary power. But this power should only be exercised in cases where the entire working of the certifying authority or subscriber or any other person is against the statute. Reasonable time must be allowed to the subscriber to answer in writing, but neither examination of witnesses nor any regular trial is necessary. Such statutory hearings, even though they need not conform to the technical rules of procedure, must comply with the essential rules of fair hearing, i.e., the rules of natural justice. In other words it must not be confidential or ex parte or it must not be without giving sufficient time to answer the reasons of such act or omission referred to in sub-section (1). Authority must inform his opinion to the subscriber as to why he would like to pass an order under this sub-section and must give a notice of offering an opportunity to explain his conduct. Section 38: Revocation of Digital Signature Certificate -(1) A Certifying Authority may revoke a Digital Signature Certificate issued by it (a) Where the subscriber or any other person authorised by him makes a request to that effect; or (b) Upon the death of the subscriber; or (c) Upon the dissolution of the firm or winding up of the company where the subscriber is a firm or a company. (2) Subject to the provisions of sub-section (3) and without prejudice to the provisions of sub-section (1), a Certifying Authority may revoke a Digital Signature Certificate which has been issued by it at any time, if it is of opinion that (a) a material fact represented in the Digital Signature Certificate is false or has been concealed; (b) a requirement for issuance of the Digital Signature Certificate was not satisfied; (c) the Certifying Authoritys private key or security system was compromised in a manner materially affecting the Digital Signature Certificates reliability; (d) the subscriber has been declared insolvent or dead or where a subscriber is a firm or a company,
which has been dissolved, wound-up or otherwise ceased to exist. (3) A Digital Signature Certificate shall not be revoked unless the subscriber has been given an opportunity of being heard in the matter. (4) On revocation of a Digital Signature Certificate under this section, the Certifying Authority Shall communicate the same to the subscriber. Suspension and Revocation This section provides for the revocation of Digital Signature Certificates under certain circumstances. The process of permanently ending the operational period of a Digital Signature Certificate from a specified time forward is known as revocation of a Digital Signature Certificate. There is a difference between the suspension and revocation of the digital signature certificate. In the case of suspension a temporary hold place the effectiveness of the operational period of a Digital Signature Certificate without permanently revoking the Digital Signature Certificate. The suspension of a Digital Signature Certificate is invoked by CRL (Certificate Revocation List) entry with a reason code; whereas revocation is a process of permanently ending the operational period of the certificate. Further, such revocation shall not be done unless the subscriber has been given an- opportunity of being heard in the matter. The revocation will be done on any one of the following conditions: (a) where the subscriber or any other person authorized by him makes a request to that effect; or . (b) upon the death of the subscriber; or (c) upon the dissolution of the firm or winding up of the company, where the subscriber is a firm or a company. Grounds for Revocation If the Certifying Authority is of the opinion that any of the following conditions mentioned in clauses (a) to (d) of sub-section (2) of section 38 and clauses (a) to (d) of Rule 29(1) are present, he may subject to other conditions revoke the Digital Signature Certificate, Under section 38(2) (a) a material fact represented in the digital Signature Certificate is false or has been concealed;
(b) a requirement for issuance of the Digital Signature Certificate was not satisfied; (c) the Certifying Authoritys private key or security system was compromised in a manner materially affecting the Digital Signature Certificates reliability; (d) the subscriber has been declared insolvent or dead or where a subscriber is a firm or a company, which has been dissolved, wound up or otherwise ceased to exist. Under Rule 29(1) (a) there is a compromise of the Digital Signature Certificate owners private key; (b) there is misuse of the Digital Signature Certificate; (c) there is a misrepresentation or errors in the Digital Signature Certificate; (d) the Digital Signature Certificate is no longer required. Compromise of Digital Signature Certificate According to clause (a) of Rule 28 a Digital Signature Certificate shall be deemed to be compromised where the integrity of (i) the private key associated with the Digital Signature Certificate is in doubt; (ii) the Digital Signature Certificate owner is in doubt, as to the use, or attempted use of his key pairs, or otherwise, for malicious or unlawful purposes; According to Sub-section (3); (Opportunity of Being Heard) The revocation of Digital Signature Certificate permanently ends the operational period of a certificate from a specified time forward. Therefore, before taking any such harsh step, sub-section (3) provides that the certifying authority should give an opportunity of being heard in the matter to the subscriber. This is a mandatory condition, the non-compliance of it will vitiate the whole proceedings. The Certifying Authority should give an opportunity of being heard to the subscriber. Personal hearing is not necessary. The Certifying Authority must inform his opinion to the subscriber as to why he would like to pass an order for revocation of digital signature certificate. He must give a notice of offering an opportunity to explain his conduct. Reasonable time must be allowed to the subscriber to answer in writing. He must comply with the essential rules of fair hearing, i.e..the rules of natural justice. If the Certifying Authority is satisfied that any one of the conditions laid down in sub-sections (1) and (2) is not satisfied, he shall
give an opportunity of being heard to subscriber. Reasonable time must be allowed to the subscriber to answer in writing, but no examination of witnesses nor any regular trial is necessary. Such statutory hearings, even though they need not conform to the technical rules of procedure, must comply with the essential rules of fair hearing, i.e., the rules of natural justice. In other words it must not be confidential or ex parte or it must not be without giving sufficient time to answer the reasons. Hence opportunity of being heard requires that the Certifying Authority must (i) frame specific charges with full particularity; (ii) intimate those charges to the subscriber and (iii) give him an opportunity to answer those charges; and (iv) after considering his answer take its decision. Thus Certifying Authority must observe the rules of natural justice in coming to the finding against the subscriber. Where the Certifying Authority violates the principles of natural justice e.g., where the inquiry is confidential and is held ex parte, or the witnesses are examined in the absence of the subscriber even though he is subsequently offered an opportunity to cross-examine the opposite witnesses; or he is not given sufficient time to answer the charges or not given copies of the statements of witnesses examined it cannot be said that a reasonable opportunity of being heard to defend himself has been given. Opportunity of being heard at this stage requires that the person should be asked to show clause against the particular punishment that has been determined by the Certifying Authority. Section 39: Notice of suspension or revocation-(1) Where a Digital Signature Certificate is suspended or revoked under section 37 or section 38, the Certifying Authority shall publish a notice of such suspension or revocation, as the case may be, in the repository specified in the Digital Signature Certificate for publication of such notice. (2) Where one or more repositories are specified, the Certifying Authority shall publish notices of such suspension or revocation, as the case may be, in all such repositories. The Certifying Authority has been given authority to suspend
or revoke the digital signature certificate under sections 37 or 38 respectively. Once an order for suspension or revocation is passed, it is a duty of the certifying authority to publish a notice for such suspension or revocation in the repository or repositories specified in the Digital Signature Certificate for publication of such notice. A repository is a data base of Digital signature Certificate and other relevant information accessible online. References
1. Substitution of words digital signature by words electronic signature by ITAA 2008 2. Substitution of words digital signature by words electronic signature by ITAA 2008 3. Inserted by Information Technology (Amendment) Act, 2008 4. Inserted by Information Technology (Amendment) Act, 2008
CHAPTER VIII
DUTIES OF SUBSCRIBERS
The subscriber is a person in whose name the electronic or digital signature certificate is issued by the certifying authority under section 35(4) or section 36 respectively. The digital signature certificate can be granted only when the certifying authority is satisfied that the subscriber holds the private key corresponding to the public key, the private key is capable of creating a digital signature and the public key can be used to verify a digital signature affixed by the private key held by the subscriber. Section 40: Generating Key Pair- Where any Digital Signature Certificate, the public key of which corresponds to the private key of that subscriber which is to be listed in the Digital Signature Certificate has been accepted by a subscriber, (*) the subscriber shall generate pair by applying the security procedure. The first duty of the subscriber is to generate the key pair by applying the security procedure. In order to fulfill this duty, a subscriber has to accept (i) the digital signature certificate issued by the Certifying Authority, (ii) the public key corresponds to the private key and is listed in the digital signature certificate. Rule 24 of the Information Technology (Certifying Authorities) Rules, 2000 lays down that the generation of the Digital Signature Certificate shall involve the six points mentioned in clause (a) to (f) of the said rule. It is the duty of the Controller, Certifying Authority and the subscriber to follow the security guidelines laid down in the schedule II. While generating the key pair, the subscriber shall apply the security procedure.
Section 40-A: Duties of subscriber of Electronic Signature Certificate- In respect of Electronic Signature Certificate the subscriber shall perform such duties as may be prescribed.1 Section 41: Acceptance of Digital Signature Certificate- (1) A subscriber shall be deemed to have accepted a Digital Signature Certificate if he publishes or authorises the publication of a Digital Signature Certificate a. To one or more persons; b. In a repository, or otherwise demonstrates his approval of the Digital Signature Certificate in any manner. (2) By accepting a Digital Signature Certificate the subscriber certifies to all who reasonably rely on the information contained in the Digital Signature Certificate that a. The subscriber holds the private key corresponding to the public key listed in the Digital Signature Certificate and is entitled to hold the same; b. All representations made by the subscriber to the Certifying Authority and all material relevant to the information contained in the Digital Signature Certificate are true; c. All information in the Digital Signature Certificate that is within the knowledge of the subscriber is true. The acceptance of Digital Signature Certificate by the subscriber can be made by any of the following methods (i) by publication, or (ii) by approval in any manner. If the subscriber publishes the Digital Signature Certificate (a) to one or more persons, or (b) in a repository, he shall be deemed to have accepted the Digital Signature Certificate. Such a deemed acceptance is a fiction created by provisions of this section. If the subscriber does not make publication, he may demonstrate his approval by key management or any other manner. When the subscriber certifies to all who reasonably rely the information contained in the Digital Signature Certificate that he holds the private key corresponding to the public key and that all representations
made by him;the certifying authority and all material contained in the digital signature certificate true, he demonstrates the approval of a Digital Signature Certificate. It denotes that he has a notice of the information and contents and that he has accepted the certificate. Section 42: Control of Private Key - (1) Every subscriber shall exercise reasonable care to retain control of the private key corresponding to the r public key listed in his Digital Signature Certificate and take all steps to prevent its disclosure. (2) If the private key corresponding to the public key listed in the Digital Signature Certificate has been compromised, then, the subscriber shall communicate the same without any delay to the Certifying Authority in such manner as may be specified by the regulations. Explanation - For the removal of doubts, it is hereby declared that the subscriber shall be liable till he has informed the Certifying Authority that the private key has been compromised. It is the duty of subscriber to (i) exercise reasonable care to retain control of the private key and (ii) take all steps to prevent the disclosure of private key. Under Rule 19 of Schedule III the certifying authority must protect the private keys from disclosure. Under Rule 20 of the same Schedule III, on the termination of use of a private key, all copies of the private key in computer memory and shared disk space must be securely destroyed by over-writing. Under Rule 21 the validity period of a key should not be more than 5 years. The validity period for the subscribers private key has been fixed as three years. According to Rule 28 of the Information Technology (Certifying Authorities) Rules, 2000, the digital signature certificate in operational use become compromise, it shall be revoked in accordance with the procedure defined in the Certification Practice Statement of Certifying Authority. The certificate shall remain in the compromised state for only such time as it takes to arrange for revocation. Guideline number 21(3) of Information Technology (Security Guidelines) has prescribed the procedure where a compromise of the Certifying Authoritys Digital Signature private key have occurred. Whenever a violation of a security policy, in which an unauthor-
ized disclosure of, or loss of control over sensitive information relating to private key may have occurred, it would be case of compromise. In such a situation it is the duty of the subscriber to communicate the same without any delay to the certifying authority. Regulation 6 of the Information Technology (Certifying Authority) Regulations, 2001 lays down that an application for revocation of the key pair shall be made in Form online on the website of the concerned certifying authority to enable revocation and publication in the Certificate Revocation List. The subscriber shall encrypt this transaction by using the public key of the certifying authority. The transaction shall be further authenticated with the private key of compromised. The words without any delay used in sub-section (2) are important. As soon as it comes to be knowledge of the subscriber that the private key has been compromised or its violation is suspected, he shall immediately inform online on the website of the concerned Certifying Authority in a form prescribed under the regulations that the private key corresponding to the public key listed in the Digital Signature Certificate has been compromised. The explanation to subsection (2) therefore says that in case of any delay the subscriber shall be liable, till he has informed the Certifying Authority that the private key has been compromised. Reference
1. Inserted by Information Technology (Amendment) Act, 2008
CHAPTER IX
PENALTIES, COMPENSATION AND ADJUDICATION

Section 43: Penalty and Compensation for damage to computer, computer system, etc. If any person without permission of the owner or any other person who is in charge of a computer, computer system or computer network, a. Accesses or secures access to such computer, computer system or computer network or computer resource; b. downloads, copies or extracts any data, computer data base or information from such computer, computer system or computer network including information or data held or stored in any removable storage medium; c. Introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or computer network; d. damages or causes to be damaged any computer, computer system or computer network, data, computer data base or any other programs residing in such computer, computer system or computer network; e. Disrupts or causes disruption of any computer, computer system or computer network; f. Denies or causes the denial of access to any person authorised to access any computer, computer system or computer network by any means; g. provides any assistance to any person to facilitate access to a computer, computer system or computer network in contravention of the provisions of
this Act, rules or regulations made there under; h. Charges the services availed of by a person to the account of another person by tampering with or manipulating any computer, computer system, or computer network; i. destroys, deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means; j. Steals, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter any computer source code used for a computer resource with an intention to cause damage; he shall be liable to pay damages by way of compensation to the person so affected. Explanation - For the purposes of this section, (i) Computer Contaminant means any set of computer instructions that are designed a. To modify, destroy, record, transmit data or program residing within a computer, computer system or computer network; or b. By any means to usurp the normal operation of the computer, computer system, or computer network; (ii) Computer Database means a representation of information, knowledge, facts, concepts or instructions in text, image, audio, video that are being prepared or have been prepared in a formalised manner or have been produced by a computer, computer system or computer network and are intended for use in a computer, computer system or computer network; (iii) Computer Virus means any computer instruction, information, data or programme that destroys, damages, degrades or adversely affects the performance of a computer resource or attaches itself to another computer resource and operates when a programme, data or instruction is executed or some other event takes place in that computer resource;
(iv) Damage means to destroy, alter, delete, add, modify or re-arrange any computer resource by any means; (v) Computer Source code means the listing of programmes, computer commands, design and layout and programme analysis of computer resource in any form. The title of this section has been amended in place of the old title Penally for damage to computer, computer system etc. The addition of word compensation has brought sense to this section. Still the word penalty is conspicuously absent in the whole body of section 43. Section 45 deals with both the compensation and penalty. Section 46 gives powers to the Adjudicating Officer to impose penalty or award compensation. Section 64 deals with recovery of penalty. If we read all these sections together, we will come to the conclusion that the title Penalty and Compensation for damage to computer, computer system of this chapter is the proper heading for providing remedy for the civil wrong. This section provides penalty and compensation for damage caused to any computer, computer system or computer network by unauthorized access, introduction of computer virus, damage, disruption or any other types of mischief. Any person who is found guilty of contravening this section is liable to pay damages by way of compensation not exceeding Rs. 1crore to the person affected thereby. Various ground for causing damage to the computer, computer system or computer network have been enumerated from clause (a) to clause (j) of this section. Clause (a) has put a civil liability to pay damages by way of compensation on a person who (i) without permission of the owner of a computer, computer system or computer network makes access or secures access to such computer, computer system or computer network or computer resource; or (ii) without permission of any other person who is incharge of computer, computer system or computer network makes access or secures access to such computer, computer system or computer network or computer resource. The words access or secures access are important. Access means gaining entry into, instructing or communicating with the logical, arithmetical, or memory function resources of a computer,
computer system, computer network or computer resource. In the case of any department of the Central Government, any access to their computer, computer system,, computer network or computer resource will constitute an attack on the National security. The electronic record may be consisting of the following matters (i) national security; (ii) defenceequipments; (iii) public security. In addition to the above, the electronic record may be related to the following matters: (i) the prevention, investigation detection and prosecution of criminal offences; (ii) economic, financial and taxation matter. In the case of any multi-national company or public or private limited company or firm the importance of their economic, financial and taxation matters cannot be denied. Any access to such matters without permission of owner or other person who his incharge, shall be liable to pay damages by way of compensation. The damages shall be decided by Adjudicating Officer after holding an inquiry in the matter. The clause (b) provides that if any person, without permission of the owner or any other person who is incharge of the computer, computer system or computer network (i) downloads any data, computer data base or information from such computer, computer system or computer network, (ii) takes copies of any data, computer data base or information from such computer, computer system or computer network, or (iii) takes extracts of any data, computer data base or information from such computer, computer system or computer network, He shall be liable to pay damages by way of compensation not exceeding one crore rupees to the person so affected. If any information or data are stored in any removable storage medium, and they are downloaded, copied or extracted, the person concerned shall be similarly liable to pay damages.
Computer Database
According to explanation (ii) below section 43, computer database means a representation of information, knowledge, facts, concepts
or instructions in text, image, audio, video that are being prepared or have been prepared in a formalized manner or have been produced by a computer, computer system or computer network and are intended for use in a computer, computer system or computer network. As per clause (c), If any person, without any permission of the owner or any other person who is incharge of a computer, computer system or computer network (i) introduces any computer contaminant or computer virus,(ii) causes to be introduced any computer contaminant or computer virus. According to the explanation(i) below section 43, the term computer contaminant means any set of computer instructions that are designed (a) to modify, destroy, record, transmit data or programme residing within a computer, computer system or computer network; or (b) by any means to usurp the normal operation of the computer, computer system, or computer network.
Computer Virus
Similarly; according to the explanation (iii) below section 43, the Computer virus means any computer instruction, information, data or programme that destroys, damages, degrades or adversely affects the performance of a computer resource or attaches itself to another computer resource and operates when a programme, data or instruction is executed or some other event takes place in that computer resource. There is a slight difference between the definitions of the terms computer contaminant and Computer virus. The contaminant can pollute or corrupt the documents or can destroy the document, whereas the virus is like a poisonous matter which infects computer files by inserting copy of itself into those files. When the file is loaded into memory the virus can infect still other files. Clause (d) explains the word damage means to destroy, alter, delete, add, modify or rearrange any computer resource by any means. If any person without the permission of the owner or any other person who is incharge of a computer, computer system or computer network destroys or alters, or deletes, any computer etc., he shall be liable to pay damages by the of compensation not exceeding one crore rupees to the person so affected. Any person causing damage to such computer database is liable to
a penalty specified in this section. If any programme has been inserted in the computer, computer system or computer network by the owner or a person incharge of computer and such programme is damaged, the person causing such damage shall liable to pay damages as per the provisions of this section. According to Clause (e); the term disrupt means to shatter, to splint or to derange any system. If any person without the permission of owner or any other person who is incharge, disrupts the computer, or its system or its network he commits a civil wrong any liable to pay damages by way of compensation not exceeding one crore to the person so affected. Each owner or incharge of the computer should establish contingency plan consisting of a strategy for recovering from unplanned disruption of information processing operations. The strategy includes the identification and priority of what must be done, who performs the required action, and what tools must be used. This would help in saving the information disrupted by any person. As per clause (f); If a person is authorized to make access to any computer, computer system and computer network and such person is denied access without the permission of the owner or any other person, he shall be liable to pay damages by way of compensation not exceeding one crore rupees to the person so affected. According to the provisions of this Act, the following persons are authorized to make access to the computer, computer system and computer network (i) the Controller of Certifying Authorities, or (ii) Any person authorized by the Controller to exercise such power, (iii) Any person authorized by the appropriate government to access protected system (iv) The operational staff of the Certifying Authority shall exercise access to confidential information on a need-toknow and need-to-use basis. In addition to the above, the owner may authorize any person to make access to a computer, computer system or computer network. However as per clause (g); If any employee of the owner, without permission of the owner or any other person how is incharge of a computer, computer system or computer network, provides any assistance to any outsider to facilitate access lo computer, computer system or computer network, he shall be liable to pay damages by way of compensation not exceeding one crore rupees to the person so
affected. The damages shall be decided by Adjudicating Officer after holding an inquiry in the matter. Clause (h) says that, If any person without the permission of the owner or any other person who is incharge of a computer, computer system or computer network charges the services availed of by a person to the account of other person by (i) tempering with or (ii) manipulating the computer he shall be liable to pay damages by way of compensation not exceeding one crore rupees to the persons so affected, If any person makes unauthorized changes in the information or e-record stored in the computer, he shall be deemed to have tempered with the information or e-record. On the other hand if a person manages to change or feed information in the computer to his own advantage, he shall be deemed to have manipulated the information in the computer. As per clause (i); If any person without the permission of the owner or any other person who is incharge of a computer, computer system or computer network, (a) Destroys, deletes or alters any information residing in a computer resource, or (b) Diminishes its value or utility or affects it injuriously by any means, he shall be liable to pay damages by way of compensation not exceeding one crore rupees to the person so affected. Lastly according to clause (j); If any person without the permission of the owner or any other person who is incharge of a computer, computer system or computer network: (a) steals, conceals, destroys or alters any computer source code used for a computer resource with an intention to cause damage, or (b) causes any person to steal, conceal, destroy or alter any computersource code used for a computer resource with anintention to causedamage, he shall be liable to pay damages by way of compensation not exceeding one crore rupees to the person so affected. The term computer source code means the listing of programmes, computer commands, designs and layout and programme analysis of computer resource in any form. Section 43A: Compensation for failure to protect data Where a body corporate, possessing, dealing or handling
any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected. Explanation: For the purposes of this section,i. Body corporate means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities; ii. reasonable security practices and procedures means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit. iii. Sensitive personal data or information means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.1 The corporate responsibility for data protection is incorporated in Section 43A in the amended IT Act, 2000 whereby corporate bodies handling sensitive personal information or data in a computer resource are under an obligation to ensure adoption of reasonable security practices to maintain its secrecy, failing which they may be liable to pay damages. Also, there is no limit to the amount of compensation that may be awarded by virtue of this section. This section must be read with Section 85 of the IT Act,2000 whereby all persons responsible to the company for conduct of its busi-
ness shall be held guilty incase offence was committed by a company unless no knowledge or due diligence to prevent the contravention is proved. Insertion of this provision is particular significance to BPO companies that handle such sensitive information in the regular course of their business. This provision is important to secure sensitive data and is hence a step in the right direction. However, the challenge is tofirst elucidate what we qualify as reasonable security practices . The Act in explanation to Section 43A indicates these procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure, or impairment, as may be specified in an agreement between parties or as may be specified by any law for the time being in force and in absence of both, as may be prescribed by Central Government in consultation with professional bodies/associations. The law explaining the definition of reasonable security practices is yet to be laid down and/or Central government is yet to frame its rules thereon. Perhaps, we can take guidance from certain foreign laws on data protection & standards laid down in European Union or by organizations such as OECD in protection of sensitive personal data. It is a challenge for the Central Government to prescribe in consultation with professional bodies the information that will fall within the meaning of sensitive personal data or information. When a body corporate is negligent in implementing and maintaining reasonable security practices and procedures: (a) in possessing, dealing or handling any sensitive personal data, or (b) in possessing, dealing or handling any sensitive information. In a computer resource which it owns, controls or operates, and thereby causes wrongful loss or wrongful gain to any person, it shall be liable to pay damages by way of compensation to the person so affected. According to explanation (i) body corporate means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities. The only condition is that such body corporate must be engaged in commercial or professional activities.
Reasonable security practices and procedures

According to explanation(ii) reasonable security practices and procedures means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the lime being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit. The use of pirated version of software is not authorized, and if the body corporate is not careful in making use of that, it is said tobe negligent in protecting personal date or information. It may contain virus, which may cause damage to computer resource. As per the IPC; Wrongful gain is gain by unlawful means of property which the body corporate gaining is not legally entitled. Wrongful loss is the loss by unlawful means of property to which the body corporate losing it is legally entitled. A body corporate is said to lose wrongfully when such body corporate is wrongfully kept out of any property as well as when such body corporate is wrongfully deprived of property. Such body corporate shall be liable to pay damages by way of compensation to the person so affected. Damages are compensatory and not penal and one who has suffered loss from, breach of contract must take every reasonable step that is available to him to mitigate the extent of damages caused by the breach. The test to determine whether his behavior was reasonable is to see whether he did what a prudent man might have reasonably done if the whole expense was to fall on him. Compensatory damages of an economic nature may also be recovery by an injured party. A plaintiff may recover for loss of earnings resulting from an injury. Section 44: Penalty for failure to furnish information, return, etc. - If any person who is required under this Act or any rules or regulations made there under to a. furnish any document, return or report to the Controller or the Certifying Authority, fails to furnish the same, he shall be liable to a penalty not exceeding one lakh and fifty thousand rupees for each such failure;
b. file any return or furnish any information, books or other documents within the time specified therefore in the regulations, fails to file return or furnish the same within the time specified therefore in the regulations, he shall be liable to a penalty not exceeding five thousand rupees for every day during which such failure continues; c. maintain books of account or records, fails to maintain the same, he shall be liable to a penalty not exceeding ten thousand rupees for every day during which the failure continues; The Controller of Certifying Authorities or any officer authorized by him may require any person to furnish any document, return or report and if he fails to furnish the same, he shall be liable to a penalty specified clause (a) of section 44. Similarly if the Controller of Certifying Authorities or any officer authorized by him requires any person to file any return or furnish any information, books or documents within a time specified in the order, fails to do so he shall be liable to a penalty specified in clause (b) of section 44. If any person is required by the Controller of Certifying Authorities or any officer authorized by him to maintain books of accounts or records and such person fails to maintain the same, he shall be liable to penalty specified in section 44(c). Section 45: Residuary Penalty- Whoever contravenes any rules or regulations made under this Act, for the contravention of which no penalty has been separately provided, shall be liable to pay a compensation not exceeding twenty-five thousand rupees to the person affected by such contravention or a penalty not exceeding twenty-five thousand rupees. Sections 43 and 44 have fixed civil liability on the persons committing certain civil wrongs. These are in the shape of (i) penalties for damage to computer, computer system and computer network and (ii) penalty for failure to furnish information, return, books of accounts and records etc. For the contravention of the remaining acts any such person shall be liable to pay compensation not exceeding twenty-five thousand rupees to the person affected by such contravention or a penalty not exceeding twenty-five thousand rupees. The compensation or
penalty shall be payable by the wrong-doer if he commits any one of the acts (ii) act which amounts to the contravention of the provisions of any rules made under this Act, and such act is not covered under sections 43 and 44 of the Act, or (iii) act which amounts to the contravention of the provisions of any regulations made under this Act, and such act is not covered under sections 43 and 44 of the Act. The heading of this section is residuary penalty, whereas in the whole language of this section the word residuary has not been used. The method adopted by this Act is that the Controller or any officer authorized by him must find out whether all categories of civil wrongs mentioned in sections 43 and 44 have been absolutely exhausted and thereafter he should think of falling back on the residuary civil wrong mentioned in the rules and regulations. If no clause of section 43 or 44 covers a civil wrong, it must be regarded as a civil wrong falling under this section, if it is supported by the provisions of any rules and regulations. Section 46: Power to Adjudicate- (1) For the purpose of adjudging under this Chapter whether any person has committed a contravention of any of the provisions of this Act or of any rule, regulation, direction or order made there under which renders him liable to pay penalty or compensation, the Central Government shall, subject to the provisions of sub-section(3), appoint any officer not below the rank of a Director to the Government of India or an equivalent officer of a State Government to be an adjudicating officer for holding an inquiry in the manner prescribed by the Central Government. (1-A) The adjudicating officer appointed under subsection (1) shall exercise jurisdiction to adjudicate matters in which the claim for injury or damage does not exceed rupees 5 crore Provided that the jurisdiction in respect of claim for injury or damage exceeding rupees 5 crore shall vest with the competent court. (2) The adjudicating officer shall, after giving the person referred to in sub-section (1) a reasonable opportunity for making representation in the matter and if, on such
inquiry, he is satisfied that the person has committed the contravention, he may impose such penalty as he thinks fit in accordance with the provisions of that section. (3) No person shall be appointed as an adjudicating officer unless he possesses such experience in the field of Information Technology and Legal or Judicial experience as may be prescribed by the Central Government. (4) Where more than one adjudicating officers are appointed, the Central Government shall specify by order the matters and places with respect to which such officers shall exercise their jurisdiction. (5) Every adjudicating officer shall have the powers of a civil court which are conferred on the Cyber Appellate Tribunal under sub-section (2) of section 58, and a. All proceedings before it shall be deemed to be judicial proceedings within the meaning of sections 193 and 228 of the Indian Penal Code; b. Shall be deemed to be a civil court for the purposes of sections 345 and 346 of the Code of Criminal Procedure, 1973. c. Shall be deemed to be a Civil Court for purposes of order XXI of the Civil Procedure Code, 1908 (5 of 1908). Section 46 of the Act grants the Central Government the power to appoint an adjudicating officer to hold an enquiry to adjudge, upon complaints being filed before that adjudicating officer, contraventions of the Act. The adjudicating officer may be of the Central Government or of the State Government2, must have field experience with information technology and law3 and exercises jurisdiction over claims for damages up to `5,00,00,0004. For the purpose of adjudication, the officer is vested with certain powers of a civil court5 and must follow basic principles of natural justice while conducting adjudications.6 Hence, the adjudicating officer appointed under section 46 is a quasi-judicial authority. In addition, the quasi-judicial adjudicating officer may impose penalties, thereby vesting him with some of the powers of a criminal court,7 and award compensation, the quantum of which is to be determined after taking into account factors including unfair advantage, loss and repeat offences.8 The adjudicating officer may impose penalties for
any of the offences described in section 43, section 44 and section 45 of the Act; and, further, may award compensation for losses suffered as a result of contraventions of section 43 and section 43A. The text of these sections is reproduced in the Schedule below. Further law as to the appointment of the adjudicating officer and the procedure attendant on all adjudications was made by Information Technology (Qualification and Experience of Adjudicating Officers and the Manner of Holding Enquiry) Rules, 2003. As per the Information Technology (Qualification and Experience of Adjudicating Officers and the Manner of Holding Enquiry) Rules, 2003. As per this rule, Whereas the purpose and intent of Section 46(3) of IT Act is that the Adjudicating Officer should be a person so qualified and experienced to take decisions with a view in relation to Information Technology aspects as well as in a position to determine the complaints keeping in view the legal or judicial mannerism on the principle of compensation of damages of IT Act. A person shall not be qualified for appointment as Adjudicating Officer unless the person (a) Possesses a University graduate Bachelor degree or equivalent, recognized by Central Government / State Government for the purpose of recruitment to grade I Service in a Government Department through Union / State Public Service Commission; (b) Possesses Information Technology experience in the areas of relevance to public interface with Central / State Government functioning and experience obtained though the in-service training imparting competence to operate computer system to send and receive e-mails or other information through the computer network, exposure and awareness about the method of carrying information, data, sound, images or other electronic records through the medium of network including Internet. (c) Possesses legal or judicial experience to discharge responsibilities connected with the role of Central / State Government in respect of making decisions or orders in relation to administration of laws as a District Magistrate, or Additional District Magistrate or Sub-Divisional Magistrate or an Executive Magistrate or in other administrative or quasi judicial capacity for a cumulative period of 5 years; (d) Is working and holding a post in Grade I in Government Department either in State Government/Union Territories to perform functional duty & discharge job responsibility in the field of Informa-
tion Technology; (e) Is an in-service officer not below the rank of Director to the Government of India or an equivalent officer of State Government. Section 46(1) of the Act provides for the appointment of an Adjudicating Officer for the purpose of adjudicating under Chapter IX whether any person has contravened any provisions of the Act. Although Section 46(1) is slightly confusing, a careful scrutiny of it would reveal that the Adjudicating Officer is empowered only to determine contraventions under Sections 43, 44 and 45 of the Act and nothing else. Chapter XI of the Act deals with offences and provides for punishment of fine and/or imprisonment for committing offences like tampering with computer source documents, hacking and other offences prescribed therein. The trial of these offences would not fall within the Adjudicating Officers jurisdiction. This is all the more clear when one considers the fact that the Adjudicating Officer has been conferred with the powers of a Civil Court under Section 46(5) of the Act. The trial of offences committed under Chapter XI of the Information Technology Act would therefore still be before the Jurisdictional Magistrate under the provisions of the Code of Criminal Procedure. However, the jurisdiction of an Adjudicating Officer appointed under the provisions of the Information Technology Act would extend only to: a. Determining the extent of damages payable by a person contravening Section 43, to the person so affected; b. Determining the amount of penalty payable by a person for his failure to furnish information, returns, etc. as required under the Act or its Rules; and c. Determining the amount of penalty/damages payable by a person for contravening the provisions of the Act, Rules or Regulations for which no separate penalty is provided. It is clear that the adjudicating officer is vested with significant judicial powers, including the power to enforce certain criminal penalties, and is an important quasi-judicial authority. Section 47: Factors to be taken into account by the adjudicating officerWhile adjudging the quantum of compensation under
this Chapter the adjudicating officer shall have due regard to the following factors, namely a. The amount of gain of unfair advantage, wherever quantifiable, made as a result of the default; b. The amount of loss caused to any person as a result of the default; c. The repetitive nature of the default. At the time of deciding the quantum of compensation, the Adjudicating Officer shall, keep in mind the rational basis the compensation which has to be assessed not arbitrarily but on well recognized legal principles and that the compensation to be awarded must have rational relation to the nature and extent of injury, inconvenience or physical and mental suffering caused to the complainant by the action or omission of the non-complainant, in addition to many grounds for considering quantum of compensation, the Adjudicating Officer should give due regard to the following points also a. the amount of gain of unfair advantage, wherever quantifiable, made as a result of the default; b. the amount of loss caused to any person as a result of the default; c. the repetitive nature of the default. Gain of unfair advantage Generally, the amount of gain of unfair advantage is not quantifiable. The nature of gain of unfair advantage dependson the facts and circumstances of each case. If a person makes access to a computer and downloads any data, data base or information and gains by such an unfair activity, he shall be liable to pay damages by way of compensation. The only condition is that if such a gain of unfair advantage is quantifiable, the quantum be decided. The quantification of compensation is to be done on rational basis. The compensation to be awarded must have rational relation to the i. Nature of access or damage caused to the computer or computercontaminant or virus introduced in the computer, ii. Nature of loss caused to the data, data base or information held orstored in any removal of storage medium, iii. Period of access or damage caused to the computer,
iv. Nature of unfair advantage obtained,by the wrong doer by the use ofsuch data, data base or information, v. Inconvenience and physical or mental suffering caused to the owner ofthe computer as a result of such default. The Adjudicating Officer will have to take a realistic and pragmatic view of the damages caused to the owner of the computer, computer system or computer network and where it is manifest that real advantage was obtained by the wrong doer it shall determine what will be the reasonable compensation payable in respect of such a gain of unfair advantage. Amount of loss caused to any person The quantum of compensation has to be determined after taking careful appraisal of the evidence on record and all the relevant facts and circumstances having a bearing on the quantification of the loss etc. As has been repeatedly pointed out by the Supreme Court, any arbitrary exercise of power by a judicial or ij;ws/-judicial authority would be an improper exercise of jurisdiction vested in such authority by law. The Adjudicating Officer should be quite liberal in the assessment of the loss and / after taking into account all the circumstances in which the delay in settling the claim had occurred it has considered it reasonable to fix the quantum of compensation to be awarded in respect of any delay. It is not just and fair to insist that the complainant should perform the impossible task of furnishing particulars in regard to the nature of inconvenience suffered by him. While adjudging the quantum of compensation, the Adjudicating Officer shall keep in mind i. Value of the first default made or damage caused, ii. Value of the second or subsequent default made or damage caused, iii. Nature of profit earned by the respondent by the use of information obtained by him. iv. Increased cost of data, database or information from the date of filing the claim till the date or decision given by the Adjudicating Officer, v. Hardship, pain and suffering caused to the applicant due to the delay in the settlement of claim.
References
1. 2. 3. 4. 5. 6. 7. 8.
Inserted by Information Technology (Amendment) Act, 2008 see section 46(1) of the Act see section 46(3) of the Act see section 46(1A) of the Act see section 46(5) of the Act see section 46(2) of the Act see section 46(2) of the Act see section 47 of the Act
CHAPTER X
THE CYBER APPELLATE TRIBUNAL

Judicial arrears and case pendency are not a new problem. We have been dealing with these issues and problems for some time now. The setting up of quasi-judicial tribunals was seen as one way of reducing this pendency. Here tribunals would adjudicate disputes based on their thin and defined areas of competence and achieve efficiency in disposal and accuracy in rendering decisions. Indias experience with quasi-judicial tribunals in its introductory stage was with labor and service laws. Hence the Central Administrative Tribunal (CAT) which deals with these disputes was founded in 1985 and was considered one of the initial flag bearers of administrative law in India. With the increased focus on sectoral adjudication there has been a mushrooming of quasi-judicial tribunals which deal with disputes in their specific domains. A tribunal which has been receiving its fair amount of the press is the Competition Appellate Tribunal (CAT) headed by former Supreme Court Justice HonbleArijitPasayat. The latest CAT is the Cyber Appellate Tribunal. Even though the Information Technology Act had clear provisions on the establishment of the Cyber Appellate Tribunal way back in 2000 when it the enactment was notified. Government of India enacted Information Technology (IT) Act 2000. As per Section 46 sub section 5 of this act, Cyber Appellate Tribunal has been established under the IT Act under the Aegis of Controller of Certifying Authorities (CCA). A Cyber Appellate Tribunal consists of one Presiding Officer who is qualified to be a Judge of a High Court or is or has been a member of the Indian Legal Service and is holding or has held a post in Grade I of that Service for at least three years supported by other official under him/her. The Cyber Appellate Tribunal has, for the purposes of discharging its functions under the IT Act, the same powers as are vested in a civil court under the Code of Civil Procedure, 1908. However, is not
bound by the procedure laid down by the Code of Civil Procedure, 1908 but is guided by the principles of natural justice and, subject to the other provisions of this Act and of any rules. The Cyber Appellate Tribunal has powers to regulate its own procedure including the place at which it has its sittings. Justice Rajesh Tandon is current chairperson for the Cyber Appellate Tribenal supported by Registrar Mr. R.K. Uppal, at New Delhi. Every State should have Adjudicating Officer and shall have the powers of the civil court and that all the proceedings before the adjudicating officer shall be deemed to be judicial proceedings within the meaning of section 193 and 228 of the Indian Penal Code. Government of India has decided that IT Secretaries of the state governments will function as Adjudicating Officer for holding an enquiry in their respective states and their jurisdiction shall extend to the entire state. The Adjudicating Officers will be responsible for conducting field enquires in Cyber Crimes or in cyber offences registered under the Information Technology Act, 2000. Accordingly a Gazette notification was issued by GoI. As decided by GoI the Adjudicating Officer for state of Andhra Pradesh will be the Principal Secretary to Government, IT&C Department. The theme of Cyber Crime may involve Phishing, Cyber Frauds, Malware, Denial of service, Cyber espionage, Identity theft, Data theft, Mobile device attacks, Financial crimes, Social engineering, Cyber terrorism, Spam etc. Public who are effected with Cyber crime may lodge a complaint with the Adjusting Officer for holding an enquiry. Section 48: Establishment of Cyber Appellate Tribunal-(1) The Central Government shall, by notification, establish one or more appellate tribunals to be known as the Cyber Appellate Tribunal. (2) The Central Government shall also specify, in the notification referred to in sub-section (1), the matters and places in relation to which the Cyber Appellate Tribunal may exercise jurisdiction. The present section provides for the establishment of the tribunal called the cyber appellate tribunal and the power for the same is given to the central government. The object behind the establishment of a tribunal seems to be that proceeding in a civil court would
be more lengthy and dilatory and would keep the persons for whose benefit the act is intended, engaged in the pursuit of litigation for good part of their legitimate occupation and that such proceedings would also be more expensive. Rule 13 of the cyber appellate tribunal (procedure) rules, 2000 provides that the tribunal shall ordinarily hold its sittings at New Delhi. However if the chairperson of the tribunal is satisfied that circumstances exists which render it necessary to have sitting of the tribunal at any other place then New Delhi, it can be directed to hold its sittings a any such other appropriate place. Rule 12 provides that the tribunal shall notify to the parties the date and place of hearing of the application. Sub section 2 to this section suggests the idea that the subject matter jurisdiction or the territorial jurisdiction of each of the tribunal should be notified by the central government. However the territorial boundaries in the cyber space are vanishing as no physical location of the computer or its user. Section 49: Composition of Cyber Appellate Tribunal- (1) The Cyber Appellate Tribunal shall consist of a Chairperson and such number of other Members, as the Central Government may, by notification in the Official Gazette, appoint. Provided that the person appointed as the Presiding Officer of the Cyber Appellate Tribunal under the provisions of this Act immediately before the commencement of the Information Technology (Amendment) Act 2008 shall be deemed to have been appointed as the Chairperson of the said Cyber Appellate Tribunal under the provisions of this Act as amended by the Information Technology (Amendment) Act, 2008. (2) The selection of Chairperson and Members of the Cyber Appellate Tribunal shall be made by the Central Government in consultation with the Chief Justice of India. (3) Subject to the provisions of this Acta. The jurisdiction, powers and authority of the Cyber Appellate Tribunal may be exercised by the Benches thereof; b. A Bench may be constituted by the Chairperson
of the Cyber Appellate Tribunal with one or two members of such Tribunal as the Chairperson may deem fit; c. The Benches of the Cyber Appellate Tribunal shall sit at New Delhi and at such other places as the Central Government may, in consultation with the Chairperson of the Cyber Appellate Tribunal, by notification in the Official Gazette, specify; d. The Central Government shall, by notification in the Official Gazette, specify the areas in relation to which each Bench of the Cyber Appellate Tribunal may exercise its jurisdiction; (4) Notwithstanding anything contained in sub-section (3), the Chairperson of the Cyber Appellate Tribunal may transfer a Member of such Tribunal from one Bench to another Bench. (5) If at any stage of the hearing of any case or matter, it appears to the Chairperson or a Member of the Cyber Appellate Tribunal that the case or matter is of such a nature that it ought to be heard by a Bench consisting of more Members, the case or matter may be transferred by the Chairperson to such Bench as the Chairperson may deem fit. The composition of the Cyber Appellate Tribunal is provided for under section 49 of the Information Technology Act, 2000. Initially the Tribunal consisted of only one person who was referred to as the Presiding Officer who was to be appointed by way of notification by the Central Government. Thereafter the Act was amended in the year 2008 by which section 49 which provides for the composition of the Cyber Appellate Tribunal has been changed. As per the amended section the Tribunal shall consist of a Chairperson and such number of other Members as the Central Government may by notification in the Official Gazette appoint. The selection of the Chairperson and Members of the Tribunal is made by the Central Government in consultation with the Chief Justice of India. The Presiding Officer of the Tribunal is now known as the Chairperson. Sub section 3 to this section provides that tribunal will exercise its jurisdiction, powers and authorities by the bench. However bench may constituted by the chairperson of the cyber appellate tribunal with one or two members of such tribunal as the he may deem fit. The benches of the tribunal will sit at New Delhi and at
such other places as the central government with the consultation with the chairperson by notification in the official gazette specify under clause (c). Sub section 5 indicates towards the strengths of the benches. It could be extended from single bench to full bench consisting three or more members. Section 50: Qualifications for appointment as Chairperson and Members of Cyber Appellate Tribunal (1) A person shall not be qualified for appointment as a Chairperson of the Cyber Appellate Tribunal unless he is, or has been, or is qualified to be, a Judge of a High Court; (2) The Members of the Cyber Appellate Tribunal, except the Judicial Member to be appointed under subsection (3), shall be appointed by the Central Government from amongst persons, having special knowledge of and professional experience in, information technology, telecommunication, industry, management or consumer affairs. Provided that a person shall not be appointed as a Member, unless he is, or has been, in the service of the Central Government or a State Government, and has held the post of Additional secretary to the Government of India or any equivalent post in the Central Government or State Government for a period of not less than two one years or joint secretary to the Government of India or any equivalent post in the central Government or State Government for a period of not less than seven years. (3) The Judicial Members of the Cyber Appellate Tribunal shall be appointed by the Central Government from amongst persons who is or has been a member of the Indian Legal Service and has held the post of Additional Secretary for a period of not less than one year or Grade I post of that service for a period of not less than five years. It provides that for being the chairperson of the tribunal the member must have possess the following qualifications: - He is working as the judge of the high court, or - He has been the judge of the high court
- He is qualified to be the judge of the high court The act does not prescribe any technical qualification for the person to be appointed as a chairperson of the cyber appellate tribunal. It is hoped that after his appointment, the chairperson will acquire a minimum working knowledge at his own level. Sub section 2 and 3 provided the qualification for the members of the tribunal. Member could be categories as the judicial and non judicial members. The non judicial member must have special knowledge of, and professional experience in, information technology, telecommunication, industry, management or consumer affairs. Apart from this further it is needed that he is or has been in the service of the central government of India or state government and he has held the post of additional secretary to the government of India or any equivalent post in the central government or stat government for a period of not less than one year, or joint secretary to the government of India or any equivalent post in the central government or state government for a period of not less than seven years. As regards to the judicial member he is or has been a member of the Indian Legal Service and he has held a post of Addl. Secretary for a period of not less than one year. Or grade I of that service for a period not less than five year. All this process must be held with the consultation with the chief justice of India. Section 51: Term of office, conditions of service etc of Chairperson and Members-(1) The Chairperson or Member of the Cyber Appellate Tribunal shall hold office for a term of five years from the date on which he enters upon his office or until he attains the age of sixty-five years, whichever is earlier. (2) Before appointing any person as the Chairperson or Member of the Cyber Appellate Tribunal, the Central Government shall satisfy itself that the person does not have any such financial or other interest as is likely to affect prejudicially his functions as such Chairperson or Member. (3) An officer of the Central Government or State Government on his selection as the Chairperson or Member of the Cyber Appellate Tribunal, as the case may be, shall have to retire from service before joining as such
Chairperson or Member. The chairperson or the member of the cyber appellate tribunal shall hold office for a term of five year, and shall not be eligible for reappointment. The retiring age of the chairperson is fixed to 65 years. Thus if he attains the age before the tenure of 5 years he must have to retire. Therefore it will follow that once this disqualification of attaining the age of 65 years is incurred, there is an automatic cessation from holding office. As per sub section 3 as officer of the central or state government on his selection as the chairperson or member of the cyber appellate tribunal, as the case may be, shall have to retire from service before joining as such chairperson or member. Section 52: Salary, allowance and other terms and conditions of service of Chairperson and Member - The salary and allowances payable to, and the other terms and conditions of service including pension, gratuity and other retirement benefits of, the Chairperson or a Member of Cyber Appellate Tribunal shall be such as may be prescribed. The central government framed the cyber appellate tribunal (salary, allowance and other terms and condition of service of chairperson and members) rule 2009 for the salary and allowances payable to, and the other terms and conditions of service of the chairperson or members of the tribunal. These rules of 2009 deal with the salary and allowance, level, pension provident fund, TA, DA, house rent allowance, medical treatment etc. Rule 12 of these rules provides that the chairperson or the member, before entering upon his office, makes and subscribes an oath of office and secrecy in the forms annexed to these rules. Section 52-A: Powers of superintendence, direction, etc. - The Chairperson of the Cyber Appellate Tribunal shall have powers of general superintendence and directions in the conduct of the affairs of that Tribunal and he shall, in addition to presiding over the meetings of the Tribunal, exercise and discharge such powers and functions of the Tribunal as may be prescribed.1 The chairperson of the tribunal has the power of general superintendence in the conduct of the affairs of the tribunal within
the territory of India. However this power is subject to two limitations i.e.; the tribunal shall follow the rules of law and shall act in accordance with norms of natural justice. Therefore the exercise of this power by the tribunal is subject to judicial review. These powers includes to call the meetings of the tribunal and to preside over the meetings to make and issue general rules and prescribe froms for regulating the proceedings of such tribunal and prescribe forms in which books, entries and accounts are to kept by the officers. The power of superintendence extends to administrative and judicial superintended. It may even be exercised suomoto in the interest of justice. The power of conducting the affairs of the tribunal includes the power to constitute bench to hear the matter and to give power to one or more benches to hear interlocutory application. The tribunal may constitute a bench or benches to discharge its functions. However if the tribunal refuses the power to superintendence the supreme court of the high court may give the direction to the tribunal. Section 52-B: Distribution of Business among Benches- Where Benches are constituted, the Chairperson of the Cyber Appellate Tribunal may, by order, distribute the business of that Tribunal amongst the Benches and also the matters to be dealt with by each Bench.2 It provides basically two things. First the distribution of business of the tribunal amongst the benches and the distribution of the matters to be dealt with by each bench. This section authorized the chairperson for more convenient transaction of the business of the tribunal and for allocation amongst its benches of the business and matters to be dealt with. All benches excepting those in which the chairperson is required to act in his direction have to be allocated the business and matters of the tribunal. Section 52-C: Powers of the Chairperson to transfer cases On the application of any of the parties and after notice to the parties, and after hearing such of them as he may deem proper to be heard, or suomoto without such notice, the Chairperson of the Cyber Appellate Tri-
bunal may transfer any case pending before one Bench, for disposal to any other Bench.3 The chairperson of the tribunal may transfer any case pending before one bench, for disposal to any other bench on the application of any of the parties after notice and hearing or suomoto without such notice. No one should suffer because of the mistake of the court or tribunal. No man should suffer a wrong by technical proceeding or irregularities. Section 52-D: Decision by majority- If the Members of a Bench consisting of two Members differ in opinion on any point, they shall state the point or points on which they differ, and make a reference to the Chairperson of the Cyber Appellate Tribunal who shall hear the point or points himself and such point or points shall be decided according to the opinion of the majority of the Members who have heard the case, including those who first heard it.4 If there is difference of opinion between two members of a bench on a point the disputed point will be heard by the chairperson as a third member and the opinion of the majority of the members out of three will become the decision of the tribunal However if the original dispute was decided by three members bench and subsequent dispute involving correctness of certain observation had been decided by a two member bench the matter would refer to chairperson to avoid contradiction and inconsistency in the order. Section 53: Filling up of vacancies- If, for reason other than temporary absence, any vacancy occurs in the office of the Presiding officer Chairperson or Member as the case may be of a Cyber Appellate Tribunal, then the Central Government shall appoint another person in accordance with the provisions of this Act to fill the vacancy and the proceedings may be continued before the Cyber Appellate Tribunal from the stage at which the vacancy is filled. A vacancy in the office of the chairperson or member may occur on resignation, retirement, death, removal, illness or if the appointment of the chairperson or the member is declared void by
the court or otherwise, etc.. However the illness will amount to temporary vacancy. In case where a new person is appointed as a chairperson or member the proceedings may be continued before the cyber appellate tribunal from the stage at which the vacancy was filled. Section 54: Resignation and removal (1) The Chairperson or Member of the Cyber Appellate Tribunal may, by notice in writing under his hand addressed to the Central Government, resign his office: Provided that the said Chairperson or the Member shall, unless he is permitted by the Central Government to relinquish his office sooner, continue to hold office until the expiry of three months from the date of receipt of such notice or until a person duly appointed as his successor enters upon his office or until the expiry of his term of office, whichever is the earliest. (2) The Chairperson or the Member of a Cyber Appellate Tribunal shall not be removed from his office except by an order by the Central Government on the ground of proved misbehavior or incapacity after an inquiry made by a Judge of the Supreme Court in which the Chairperson or the Member concerned has been informed of the charges against him and given a reasonable opportunity of being heard in respect of these charges. (3) The Central Government may, by rules, regulate the procedure for the investigation of misbehavior or incapacity of the aforesaid Chairperson or the Member. On receipt of the report from the committee appointed under Rule 3 of the cyber appellate tribunal (procedure for investigation of misbehavior or incapacity of chairperson or members) rule, 2009, if the president is of the opinion that the truth of any imputation of misbehavior or incapacity of a chairperson or the member, he shall make a reference to the chief justice of india, requesting him to nominate a judge of the supreme court to conduct the inquiry under Rule 4. As per Rule 3 (1) and (2) If a written complaint, alleging any definite charges of misbehaviour or incapacity to perform the functions of the offices in respect of a Chairperson or Member, is received by the Central Government, it shall make a preliminary scrutiny of
such complaint. If on preliminary scrutiny, the Central Government considers it necessary to investigate into the allegation, it shall place the complaint together with supporting material as may be available, before a Committee consisting of the following officers to investigate the charges of allegations made in the complaint:(i) Secretary (Co-ordination and Public Grievances), Cabinet Secretariat - Chairman; (ii) Secretary, Department of Information Technology Member; (iii) Secretary, Department of Legal Affairs, Ministry of Law and Justice -- Member. According to Rule 4(2) there would be appointment of the Supreme Court judge nominated by the chief justice of India for the investigation and conducting the inquiry. Rule 4(5) lays down that the judge shall complete the inquiry within such time or further time as may be specified by the president. As per the Rule 4(12), which allows the representation through the advocates by both the parties.Rule 4(4) provides that The President shall forward to the Judge a copy of(a) The articles of charges against the Chairperson or Member concerned and the statement of imputations; (b) The statement of witnesses, if any; and (c) Material documents relevant to the inquiry. As per Rule 4 (6) The Chairperson or Member concerned shall be given a reasonable opportunity of presenting a written statement of defence within such time as may be specified in this behalf by the Judge. However, Rule 4 (7) Where it is alleged that the Chairperson or Member concerned is unable to discharge the duties of his office efficiently due to any physical or mental incapacity and the allegation is denied, the Judge may arrange for the medical examination of the Chairperson or Member by such Medical Board as may be appointed for the purpose by the President and the Chairperson or Member concerned, as the case may be, shall submit himself to such medical examination within the time specified in this behalf by the Judge. According to (8) The Medical Board shall undertake such medical examination of the Chairperson or Member, as the case may be, as may be considered necessary to and submit a report to the
Judge stating therein whether the incapacity is such as to render the Chairperson or Member unfit to continue in office. According to (9) If the Chairperson or Member refuses to undergo such medical examination as considered necessary by the Medical Board, the Board shall submit a report to the Judge stating therein the examination which the Chairperson or Member has refused to undergo, and the Judge may, on receipt of such report, presume that the Chairperson or Member, as the case may be, suffers from such physical or mental incapacity as is alleged in the Chairperson or Member. Section 55: Orders constituting Appellate Tribunal to be final and not to invalidate its proceedings- No order of the Central Government appointing any person as the Chairperson or the Member of a Cyber Appellate Tribunal shall be called in question in any manner and no act or proceeding before a Cyber Appellate Tribunal shall be called in question in any manner on the ground merely of any defect in the constitution of a Cyber Appellate Tribunal. This section gives the finality to an order of the central government appointing any person as chairperson or the member of the cyber appellate tribunal shall be final and act or proceeding before the cyber appellate tribunal shall not be called in question in any manner on the ground merely of any defect in the constitution of the cyber appellate tribunal. But many a time it came up that that the concept of statutory finality embodied in section 55 does not detract from or abrogate the power of judicial review of supreme court or high court under articles 136, 226 and 227 of the constitution insofar as infirmities based on violation of the constitution mandates, mala fide, non compliance with the rules of natural justice and perversity are concerned. Section 56: Staff of the Cyber Appellate Tribunal - (1) The Central Government shall provide the Cyber Appellate Tribunal with such officers and employees as the Government may think fit. (2) The officers and employees of the Cyber Appellate Tribunal shall discharge their functions under general superintendence of the Chairperson.
(3) The salaries and allowances and other conditions of service of the officers and employees of the Cyber Appellate Tribunal shall be such as may be prescribed by the Central Government. Section 57: Appeal to Cyber Regulations Appellate Tribunal- (1) Save as provided in sub-section (2), any person aggrieved by an order made by a Controller or an adjudicating officer under this Act may prefer an appeal to a Cyber Appellate Tribunal having jurisdiction in the matter. (2) No appeal shall lie to the Cyber Appellate Tribunal from an order made by an adjudicating officer with the consent of the parties. (3) Every appeal under sub-section (1) shall be filed within a period of forty-five days from the date on which a copy of the order made by the Controller or adjudicating officer is received by the person aggrieved and it shall be in such form and be accompanied by such fee as may be prescribed: Provided that the Cyber Appellate Tribunal may entertain an appeal after the expiry of the said period of forty-five days if it is satisfied that there was sufficient cause for not filing it within that period. (4) On receipt of an appeal under sub-section (1), the Cyber Appellate Tribunal may, after giving the parties to the appeal, an opportunity of being heard, pass such orders thereon as it thinks fit, confirming, modifying or setting aside the order appealed against. (5) The Cyber Appellate Tribunal shall send a copy of every order made by it to the parties to the appeal and to the concerned Controller or adjudicating officer. (6) The appeal filed before the Cyber Appellate Tribunal under sub-section (1) shall be dealt with by it as expeditiously as possible and endeavor shall be made by it to dispose of the appeal finally within six months from the date of receipt of the appeal. This section implies that any order including the interim orders of controller or adjudicating officer are appealable. However, in Dr. Avinash Agnihotry5 it was held that appeals are not maintable
without exhausting the alternative remedy. Inherent jurisdiction to decide the appeal without exhausting the alternative remedy Dr. AvinashAgnihotryVs. Controller of Certifying Authorities and others,6 Briefly stated the facts leading to the appeal are that the appellant is a member of IPAG, the Planning Group of Electronics Commission under the Ministry of Information Technology, Government of India and he has claimed to have contributed to planning of the Indian Electronics Industry. Later he worked at Mascon Global Limited as Senior Vice President. According to the submissions of the appellant, he has received various emails through his employer Mascon Global Limited apparently sent by email ID avinash.agnihotry @ gmail.com. Some un-known persons have falsely, dishonestly and fraudulently fabricated and created the e-mail ID avinash.agnihotry@ gmail.com registered in the name of the appellant by submitting false and mischievous information. By registering a forged email ID being avinash.agnihotry@gmail.com, the said unknown persons have sent a defamatory, derogatory and obnoxious e-mail to a distinguished personality, representing an important investor of the applicants company Mascon Global Limited with a view to demolish and finish the reputation of the appellants employer company Mascon Global Limited and its Chairman and CEO Shri Sandy K Chandra. Controller of Certifying Authorities i.e. Respondent No. 1 has filed the reply to the appeal inter alia raising preliminary objection stating therein that the present appeal is void ab initio as the appeal can be filed under Section57of the Information Technology Act only against an order of the Controller that too as per the Chapter relating to Digital signature. In the instant case since no order has been passed by the Controller, no appeal can be filed. The appellant has failed to enclose any order passed by the Controller, which could be made subject matter of this appeal and thereby making mockery of all established legal principles and procedures. Further, the appellant without even waiting for a reasonable time for the Controller to investigate the complaint and pass an order, filed this appeal against the respondent No. 1. Respondents 2 and 3 i.e. Gmail.com; have also filed Statement of objections wherein it has been stated that the appellant has impleaded Gmail.com as respondent No. 2 and that Gmail.com is a
service offered by GoogleInc., and is not a legal entity by itself, as such the appellant has wrongly impleaded Gmail.com as a party to the proceedings. It is also submitted that the application to direct respondent No. 1 to investigate the various alleged contraventions of the provisions of the Information Technology Act,2000 and further to direct respondents No. 2 and 3 to assist the respondent No. 1 in its investigations could not have been filed before this Tribunal. However, counsel for the appellant has submitted that this Court has inherent jurisdiction to decide the appeal even without exhausting the alternative remedy. Counsel for the appellant has referred the provisions of Section58 of the Information Technology Act in order to support the argument. It will appear from the aforesaid definitions that the jurisdiction of the Certifying Authority is confined only to the digital signatures as contained under Chapter II and Chapter III, whereas Chapter IX relates to penalties, compensation and adjudication by the Adjudicating Officer and Chapter X relates to Cyber Appellate Tribunal Counsel for the respondents have pointed out that present appeal is not maintainable in as much as neither there is any order passed by the Controller nor the matter pertains to Chapter II, III, IV and V relating to electronic signatures. The matter relates to the offences covered under Chapter IX and XI and as such the Controller gets no jurisdiction and the appeal, therefore, is also not maintainable. Tribunal held that the statute provides that the appeal can be filed only against the orders passed by the Adjudicating Officer. So far as provisions of Section43of the IT Act and Chapter II are concerned there is no scope to appeal against the order passed by the Certifying Authority. In view of the above, argument of the appellant can not be said to be justified, and the same is rejected. It was further decided against the appellant and it is held that +without exhausting alternative remedy of approaching the Adjudicating Officer appointed under the Information Technology Act,2000, no appeal is maintainable under Section57of the Information Technology Act. In Mascon Global Limited. Vs.Controller of Certifying Authorities7; Similer question Whether the present appeal is maintainable without exhausting the alternative remedy of approaching the Controller of Certifying Authorities or the Adjudicating Officer
appointed under the IT Act,2000 arose and the court in tune with the previous case held that the that without exhausting alternative remedy of approaching the Adjudicating Officer appointed under the Information Technology Act,2000, no appeal is maintainable under Section57of the Information Technology Act.8 Never the less subsection 2 implies that if the adjudicating officer has passed the order with the consent of the parties no appeal shall lie in the tribunal. As per subsection 3 any person aggrieved from the order made by the controller or adjudicating officer shall file an appeal within a period of forty five days from the date on which a copy of the order made by the controller or the adjudicating officer. However the proviso to subsection 3 gives the power to admit an appeal after the limitation period, in case the appellant satisfies the tribunal that he had sufficient cause for not filing an appeal within such period. This section is in tune with the section 5 of the limitation act, 1963. Subsection 4 provides the opportunity of being heard. The tribunal shall give an opportunity of being heard to appellant before passing any kind of order. The scheme of this section is to give a notice of offering an opportunity to explain his conduct. This sub section 5 has conferred a duty on the tribunal to send a copy of every order made by it to the parties to the appeal and the controller and adjudicating officer concerned. Subsection 6 has not made it mandatory for the tribunal to decide the appeal within 6 months but words as expeditious as possible and Endeavour shall be made by it have put enough burden on the tribunal to dispose of appeal finally within 6 months from the date of receipt of the appeal. Section 58: Procedure and Powers of the Cyber Appellate Tribunal - (1) The Cyber Appellate Tribunal shall not be bound by the procedure laid down by the Code of Civil Procedure, 1908 but shall be guided by the principles of natural justice and, subject to the other provisions of this Act and of any rules, the Cyber Appellate Tribunal shall have powers to regulate its own procedure including the place at which it shall have its sittings. (2) The Cyber Appellate Tribunal shall have, for the purposes of discharging their functions under this Act,
the same powers as are vested in a civil court under the Code of Civil Procedure, 1908, while trying a suit, in respect of the following matters, namely a. summoning and enforcing the attendance of any person and examining him on oath; b. requiring the discovery and production of documents or other electronic records; c. receiving evidence on affidavits; d. issuing commissions for the examination of witnesses or documents; e. reviewing its decisions; f. dismissing an application for default or deciding it ex parte ; g. any other matter which may be prescribed (3) Every proceeding before the Cyber Appellate Tribunal shall be deemed to be a judicial proceeding within the meaning of sections 193 and 228, and for the purposes of section 196 of the Indian Penal Code and the Cyber Appellate Tribunal shall be deemed to be a civil court for the purposes of section 195 and Chapter XXVI of the Code of Criminal Procedure, 1973 (2 of 1974). This section requires that the tribunal shall not be bound by the procedure laid down by the C.P .C but tribunal shall be guided by the principal of natural justice. However the tribunal shall have the power to regulate its own procedures. This act has deprived the subject of procedure laid down in the CPC in respect of all the appeals before the tribunal in which having regard to the class of people effected, a speedy decision as to their appeals is essential. The concept of natural justice such as nemodebetessejudexpropriacausa; audialterampartem; good faith, lack of biasness, no arbitrary or unreasonable decision .etc are being imbedded in this section. However the cyber appellate tribunal (procedure) Rules, 2000 have laid down procedure for filing, presenting and scrutiny of the application. An application to the Tribunal shall be presented in Form-1 annexed to these rules by the applicant in person or by an agent or by a duly authorized legal practitioner, to the Registrar or sent by registered post addressed to the Registrar.
The application under sub-rule (1) shall be presented in six complete sets in a paper-book form along with one empty file size envelope bearing full address of the respondent. Where the number of respondents is more than one, sufficient number of extra paperbooks together with required number of empty file size envelopes bearing the full address of each respondent shall be furnished by the applicant. The applicant may attach to and present with his application a receipt slips as in Form No. 1 which shall be signed by the Registrar or the officer receiving the applications on behalf of-the Registrar in acknowledgement of the receipt of the application. Notwithstanding anything contained in sub rules (1), (2) and (3), the Tribunal may permit: (a) More than one person to join together and file a single application if it is satisfied, having regard to the cause of action and the nature of relief prayed for, that they have the same interest in the service matter; or (b) An Association representing the persons desirous of joining in a single application provided, however, that the application shall disclose the names of all the persons on whose behalf it has been filed. Every application filed under Rule 3 shall set forth concisely under distinct heads, the grounds for such application and such grounds shall be numbered consecutively and typed in double space on one side of the paper. It shall not be necessary to present a separate application to seek an interim order or direction if the application contains a prayer seeking an interim order or direction pending final disposal of the application. According to this sub section 3, all proceedings before the tribunals shall be deemed to be judicial proceedings before the tribunal shall be deemed to be judicial proceedings within the meaning of section 193 and 228 and 196 of IPC. It seems this section means the proceedings in the course of which evidence is or may be legally taken on oath. The power to take evidence on oath is the characteristics of the judicial proceeding. The second limb of sub section (3) has declared that the cyber appellate tribunal shall be deemed to be civil court for the purpose of section 195 and chapter XXVI of CrPC .This chapter deals with the offences affecting the administration of justice. The Constitution Bench in Dhulabhai v. State of M.P .9 said
that:Where there is an express bar of the jurisdiction of the court, an examination of the scheme of the particular Act to find the adequacy or the sufficiency of the remedies provided may be relevant but is not decisive to sustain the jurisdiction of the civil court. Where there is no express exclusion the examination of the remedies and the scheme of the particular Act to find out the intendment becomes necessary and the result of the inquiry may be decisive. In the latter case it is necessary to see if the statute creates a special right or a liability and provides for the determination of the right or liability and further lays down that all questions about the said right and liability shall be determined by the tribunals so constituted and whether remedies normally associated with actions on civil courts are prescribed by the said statute or not. It shows that the provisions of the IT Act are no doubt special, and to the extent they provide specific remedies, the civil courts jurisdiction is barred. However, what does not follow from the above decisions, as is sought to be urged by the defendant, is that every claim inter parties is barred. The provisions of the Copyright Act, which confer copyrights upon data bases, as well as the plaintiffs rights towards its trade secrets, cannot be subject matter of jurisdiction of the adjudicating authority. To hold so would be to do violence with provisions of the IT Act, as Parliament never intended ouster of civil courts jurisdiction, and its substitution with a specialized tribunal in that regard. Section 59: Right to legal representation- The appellant may either appear in person or authorise one or more legal practitioners or any of its officers to present his or its case before the Cyber Appellate Tribunal Limitation In order to present his case before the tribunal the following persons have been permitted to appear before the tribunal - The appellant himself; - Any legal practitioner authorized by the appellant; - Any officer authorized by the appellant; Rule 8(3) cyber appellate Every application shall be accompanied by a paper book containing: (i) a certified copy of the order against which the application has been filed;
(ii) copies of the documents relied upon by the applicant and referred to in the application; and (iii) an index of documents. The documents referred to in sub rule (1) may be attested by an advocate or by a Gazetted Officer. Where an Application is filed by an agent, documents arthorising him to act as such agent shall also be appended to the application. Provided that where an application is filed by an advocate it shall be accompanied by a duly executed vakalatname. Section 60: Limitation- The provisions of the Limitation Act, 1963, shall, as far as may be, apply to an appeal made to the Cyber Appellate Tribunal. The addition of this section has put at rest any kind of doubt regarding the application of the limitation act to an appeal filed before the tribunal. This section has been added just to declare that the provisions of the limitation act shall be applicable in respect of all the appeals lied before the cyber appellate tribunal. Section 61: Civil court not to have jurisdiction - No court shall have jurisdiction to entertain any suit or proceeding in respect of any matter which an adjudicating officer appointed under this Act or the Cyber Appellate Tribunal constituted under this Act is empowered by or under this Act to determine and no injunction shall be granted by any court or other authority in respect of any action taken or to be taken in pursuance of any power conferred by or under this Act. According to this section no court shall have jurisdiction in respect of any matter arising under this act which may be determined by the adjudicating officer or cyber appellate tribunal. Nor shall it be open to any party to challenge in any civil or revenue court or before other authorities any action taken or to be taken in pursuance of any power conferred by or under this act and to obtain an injunction. However, the second part of this section does not affect the first part of the section, it bars any action taken or to be taken in pursuance of any power conferred by or under this act. Mr. Abhinav Gupta Vs. JCB India Limited and Ors. However, in gist, the facts and issues which have been decided
by the learned Single Judge in the impugned order are that Merely because certain facts alleged in the plaint show violation of the provisions of the Information Technology Act, 2000 and for which, remedy is provided under the Information Technology Act, would not mean that a plaint which contains various other cause of actions and other reliefs based on the cause of actions, should be rejected under Order 7 Rule 11 CPC. The defendant/appellant filed an application under Order 7 Rule 11 CPC only on the ground that the suit was barred by the provisions of the Information Technology Act, and more particularly Section61thereof, which provides that a civil court will not have jurisdiction in respect of any matter which an adjudicating officer appointed under the Act or the Cyber Appellate Tribunal under the Act is empowered to determine. In addition to the ground of the plaint being sought to be rejected on account of bar of law, during the course of arguments, it also appears to have been argued that the suit must be stayed awaiting the determination by the adjudicating officer of the Information Technology Act inasmuch as a complaint is pending before the adjudicating officer under the Information Technology Act on the basis of the facts which also have been alleged in the plaint. It was held Surely and assuming, if one particular relief or cause of action is barred under the Information Technology Act would not mean that the plaint as a whole has to be rejected inasmuch as the plaint contains various other cause of actions and reliefs pertaining to injunction for infringing of copyright and confidential information/ material and also towards injunction for re-delivery of the confidential/material information. If on trial, it emerges that certain relief can be granted only under the Information Technology Act, then, such relief may be denied and the suit may be dismissed to that extent, however, that cannot mean that at this stage itself, when the suit is still at the preliminary stage, and even issues have not been framed, that the plaint itself should be rejected under Order 7 Rule 11. Division bench declined that the reliefs claimed in the suit are ancillary to the reliefs claimed for violation of the provisions of the Information Technology Act. Facts pertaining to the violation of the Information Technology Act are only some of the facts as averred in the chain of events which show how the confidential and proprietary information/materials of the respondent No. 1 was mis-appropriated
and mis-utilized by the appellant. This cannot mean that the other causes of action and reliefs cannot independently stand on their own, and which are specific and exhaustive in themselves pertaining to injunction against violation of confidential information/material, copyright and rendition of accounts and so on. Each of the reliefs and causes of action are substantial and independent of each other and it cannot be said that the reliefs and causes of action pertaining to matters, other than violation of the provisions of Information Technology Act, are incidental to the violation of the provisions of the Information Technology Act. The averments as to violation of the provisions of Information Technology Act have been averred as an aide to the final reliefs which are claimed on the basis of causes of action averred and reliefs claimed thereon. We also therefore do not agree that the suits were liable to be stayed till decision of the complaint pending under the Information Technology Act. Section 62: Appeal to High court - Any person aggrieved by any decision or order of the Cyber Appellate Tribunal may file an appeal to the High Court within sixty days from the date of communication of the decision or order of the Cyber Appellate Tribunal to him on any question of fact or law arising out of such order: Provided that the High Court may, if it is satisfied that the appellant was prevented by sufficient cause from filing the appeal within the said period, allow it to be filed within a further period not exceeding sixty days. This section allows the appeals to the high court from any decision or order of the cyber appellate tribunal on any question of fact or law arising out of such order of the tribunal. However, if a case involves the general question of the law of general importance and required to be decided by the high court the appeal shall lie in the high court. Never the less this section also limits the time period to 60 days for the filing the appeal to the high court. This period may further be extended on sufficient cause for a further period of sixty days. The high court cannot extend the further period of not exceeding sixty days even though sufficient cause is shown by the appellant. The application of section 60 will be took place here and advantage
of section 5 of limitation act could not be taken out. Section 63: Compounding of Contravention - (1) Any contravention under this Act may, either before or after the institution of adjudication proceedings, be compounded by the Controller or such other officer as may be specially authorised by him in this behalf or by the adjudicating officer, as the case may be, subject to such conditions as the Controller or such other officer or the adjudicating officer may specify: Provided that such sum shall not, in any case, exceed the maximum amount of the penalty which may be imposed under this Act for the contravention so compounded. (2) Nothing in sub-section (1) shall apply to a person who commits the same or similar contravention within a period of three years from the date on which the first contravention, committed by him, was compounded. Explanation - For the purposes of this sub-section, any second or subsequent contravention committed after the expiry of a period of three years from the date on which the contravention was previously compounded shall be deemed to be a first contravention. (3) Where any contravention has been compounded under sub-section (1), no proceeding or further proceeding, as the case may be, shall be taken against the person guilty of such contravention in respect of the contravention so compounded. No power of compounding any contravention has been given to the tribunal. If any contravention is compounding under sub section (1) by the controller or the adjudicating officer, no appeal can be filed to the tribunal against the contravention so compounded. The jurisdiction of the tribunal shall never be utilized by the parties concerned. As per sub section 2 any contravention under this act is compoundable under sub section (1) but the same or similar contravention for the second or subsequent time within a period of three years shall not be compoundable.
Section 64: Recovery of Penalty or compensation - A penalty imposed or compensation awarded under this Act, if it is not paid, shall be recovered as an arrear of land revenue and the license or the Electronic Signature10 Certificate, as the case may be, shall be suspended till the penalty is paid. If the person on whom penalty or compensation has been imposed under this act, refuses to pay the amount of compensation or penalty it shall be recovered as an arrear of land revenue. It requires to be noticed that each state have it own law to recover the arrears of land revenue. It further says that if the controller or the adjudicating officer or the tribunal decides that the certifying authority or the subscriber has contravened the provisions of this act and have not paid the amount of penalty imposed on them, the licence granted to the certifying authority or the electronic signature certificate granted to the subscriber shall be suspended till the recovery of the amount of the penalty. References
1. 2. 3. 4. 5. 6. 7. 8. Inserted by Information Technology (Amendment) Act, 2008 Inserted by Information Technology (Amendment) Act, 2008 Inserted by Information Technology (Amendment) Act, 2008 Inserted by Information Technology (Amendment) Act, 2008 MANU/CY/0010/2010 MANU/CY/0010/2010 MANU/CY/0013/2010 Also refer ArunaKashinathVs. Controller of Certifying Authorities and others. 9. MANU/SC/0157/1968: AIR 1969 SC 78 10. Substitution of words digital signature by words electronic signature by ITAA 2008
CHAPTER XI
OFFENCES
Who is the competent authority to try offences under Chapter XI of the I.T. Act In Shiva Jatan Thakur (Dr.) Vs.Union of India &Ors.1Courtaffirms the overriding effect and defines the jurisdiction issues in detail. There can be no dispute that the Information Technology Act is a special Act and, in terms of the provisions of Section4of the Code of Criminal Procedure, read with Section81of the I.T. Act, the offences, under the I.T. Act shall be investigated, inquired into, tried and, otherwise, dealt with according to the provisions contained in the Code of Criminal Procedure, subject to, however, any provision (s), which may be contained in the I.T. Act, indicating otherwise. The First Schedule to the Code of Criminal Procedure divides the entire Code into two parts, viz., Part-I and Part-II. Part-I deals with offences under the Indian Penal Code and specifies as to whether a given offence is cognizable or non-cognizable, boilable or non-boilable, and who is competent to try the offence, whether a Magistrate or a Court of Session. Part-II deals with other laws, which obviously, means and includes special penal acts, such as, the I.T. Act. Part-II classifies the offences into cognizable, non-cognizable, boilable and non-boilable, depending, substantially, upon the length of imprisonment prescribed for a given offence. Even the question as to who can try an offence, under a special law, is answered by Part-II on the basis of the length of imprisonment prescribed. For instance, if an offence is punishable with imprisonment for less than three years or with fine only, such an offence is non-cognizable, boilable and triable by any Magistrate; whereas, if an offence is punishable with imprisonment for three years and upwards but not more than seven years, then, the offence is cog1 2011(3)GLT813
nizable, non-bailable and is triable by a Magistrate of First Class and, if an offence is punishable with death, imprisonment for life, or imprisonment for more than seven years, the offence is cognizable, non-boilable and is triable by a Court of Session. Admittedly, the I.T. Act does not specify as to who would or which Court would try the offences, which the I.T. Act has created. A cross-examination of the offences, which have been created in Chapter IV of the I. T. Act, shows that the offences are punishable either by imprisonment up to three years or with fine, or with both, but some of the offences are punishable by imprisonment of seven years and even imprisonment for life. Court further held that Considering the fact that the offences, which have been mentioned under Chapter XI, are all punishable with imprisonment for three years and above, there can be no escape from the conclusion that all these offences are cognizable offences and, being cognizable offences, the police is competent to register the offences and investigate the same, the only limitation being that a police officer in order to be competent to investigate the case, must be of the rank of, at least, an Inspector. Section 65 - Tampering with computer source documents - Whoever knowingly or intentionally conceals, destroys or alters or intentionally or knowingly causes another to conceal, destroy, or alter any computer source code used for a computer, computer programme, computer system or computer network, when the computer source code is required to be kept or maintained by law for the time being in force, shall be punishable with imprisonment up to three years, or with fine which may extend up to two lakh rupees, or with both. Explanation.For the purposes of this section, computer source code means the listing of programmes, computer commands, design and layout and programme analysis of computer resource in any form. Before the explanation of this section lets first consider a common practice followed in computer hardware market. Spiderman, Chinaking etc. these are not blockbusters, Rather they are two software programmes related to cellular technology that are giving a headache to central security agencies. These software programmes are believed to help in changing
International Mobile Station Equipment Identity (IMEI) of mobile phones manufactured in China. The IMEI number is a 15-digit unique number of every mobile handset and comes handy for security agencies in the event of cellular technology being used for any terror or criminal activity. Many a cases in this regard being handled by Police across the country rang alarm bell for the security agencies as they did very very difficult to handle those indulging in such crimes of changing the IMEI numbers. Nevertheless, section 65 attracts these kinds of offences where some sort of source or rather the computer source code is need to be maintained by the law. In the explanation of section 65 the term computer source code has been defined as the listing of programmes, computer commands, design and layout and programme analysis of computer resource in any form. For the offence of tempering with the computer source code, knowledge and the intention both are not necessary. One may have knowledge about destroying the computers source code, without any intention to do so. Knowledge of the consequence of the tampering with the computer source code may bring the case within the definition of the offence under this section. In determining the criminality of the accused, the requisite intention or knowledge on the part of the accused must be established. Most venerable computers source code lay with the banking companies. However in June 2001 the Reserve Bank of India by its regulation for the internet banking had categorically directed all banks offering internet banking facilities to employ ethical hackers to prevent the breach in their system. Cell phone unlocking amount to tempering in computer source code In the case of, Syed Asifuddin and Ors. Vs. The State of AndhraPradesh&Anr.1; Tata Indicom employees were arrested for manipulation of the electronic 32-bit number (ESN) programmed into cell phones that were exclusively franchised to Reliance Info comm. The court held that such manipulation amounted to tampering with computer source code as envisaged by section 65 of the Information Technology Act, 2000.
Deletion of information in a computer can not amount to an offence under section 65 of the IT act, 2000 However the deletion of information in a computer can not amount to an offence under section 65 of the IT act, 2000. ITC Limited and Anr.Vs.State of U.P . and Anr.2 An application under Section 156(3) of the Code of Criminal Procedure was filed by the complainant, alleging that the complainant was the convenor of the village Minaura E-Choupal programme run by the ITC Limited. The complainants duty was to distribute seeds to the concerned villagers at reasonable rates and provide information about the same. The said seeds were made available to the complainant by the local seeds distributor of the company, the co-accused Anoop Kumar Mittal of Mittal traders. Out of the said seeds, one variety of seeds PU-35, which were supplied by the company through the distributor Mittal Traders, were found to be adulterated and of inferior quality. When the farmers complained of the poor quality of the seeds, the complainant immediately communicated this fact to the District Agriculture Officer and higher officials of the company complaining that as the company had wrongfully made him distribute inferior variety of seeds, hence the agriculturists should be compensated immediately. The company took no notice of the complainants complaint and instead with the aid of Anoop Kumar Mittal, when the complainant was absent, took away the computer, which contained some information, files and other electronic data and the information, files and data of the complainant in the computer were destroyed. When the matter came to the Allahabad high court, it was argued that no offence under Section 65of the Information Technology Act is made out. Court held that it is rightly argued no offence under Section 65 of the Information Technology Act, 2000 was made out, because in the present case there was no allegation of concealment, destruction or alteration of the computer source code, which under the Explanation to Section 65 means the listing of programmes, computer commands, design and layout and programme analysis of computer resources in any form. The deletion of information in a computer can thus not amount to an offence under Section 65of the Information Technology Act, 2000.
In JigarMayurbhai Shah vs State Of Gujarat3; court held that by setting up international calls pretending to be local calls amount to tempering with computer source code. In this case the applicant was alleged to be involved in the offence pertaining to a separate telephone exchange network created by him. Telephone calls to foreign countries were being made by his customers without recording any telephone bills. The offences alleged against the applicant is under Sections 420, 465, 468, 471, 120(b) of the Indian Penal Code, Sections 4, 20, 20(a) and 25 of the Indian Telephone Act and Sections 3 and 6 of the Indian Wireless Telegraph Act and Section 65 of the Information Technology Act. Several items have been found out during the course of investigation, which are as under: (1) Cisco-2600 router (2) D link switch (3) PRI Modem (4) IPBX (5) UPS Power unit (6) Computer system (7) One telephone Instrument and 150 mtr. long cable wire. Bail Application been dismissed on the ground that Several foreign calls have been diverted and thereby has caused loss of crores of rupees to B.S.N.L. and/or to the telephone department, of Union of India. Tempering with automatic billing machine amounts to tempering computer source code Varpaul Singh Vs. State of Punjab4; the petitioner contends that the petitioner was working in supervisory capacity and had nothing to do with cash collected. It was the Cashiers job and therefore, the petitioner could not have been implicated. It has further been argued that the petitioner had made a demand against the complainant, M/s Makkar Motor Private Limited, Jalandhar for raising salary. It is in counter blast to the said demand that the petitioner has been falsely implicated. Petitioner was working in the capacity of General Manager of M/s Makkar Motor Private Limited. In furtherance of the common intention of the accused, fictitious bills and entries were created. Important data was deleted from the computers. Related documents were taken away by way of committing the offence of theft. Spare parts had been sold/ embezzled. Substantial amount has been pocketed by the accused mentioned in the FIR. It has been contended that the Managing Director of the Company wanted the petitioner to sign certain claim/ insurance papers to enable the Company to get a claim against the damage to his property. The petitioner did not sign the documents and hence has been implicated in the case.
The manner in which the offence has been committed, indicates that allegedly the petitioner, under whose supervision the work was being done in the workshop, indulged in preparing false bills. Allegation is also to the effect that he misused the confidence reposed in him by way of giving him access to the main frame. The password entrusted for a particular purpose was used to change the data in the computer system. Allegation is also to the effect that while more money was charged, the defects in the vehicles were not rectified. Bills for the work done were deleted from the computer main frame. Allegation is of removal of record as also deletion of material from the computer main frame. It was held that it is not in dispute that the petitioner had been working as General Manager. In such circumstances, it cannot be said at this stage that the petitioner had nothing to do with the cash or supervision of repair of vehicles and preparation of bills. the contention of petitioner to the effect that petitioner has been falsely implicated because he had raised a demand for raising salary and because he had refused to sign the claim/ insurance papers to enable the Managing Director to get a claim, is concerned, surely the investigating agency would look into that aspect also. In view of the above, no ground for bail under Section438Cr.P .C. is made out. Unistal System Pvt. Ltd. Vs. Prodata Doctor Pvt. Ltd.5; In this case plaintiff has prayed that the defendants be directed to deposit all monies and revenues that has been generated and collected by sale of Data Doctor for FAT and NTFS as also the varied variants, altered, modified, reproduced version under different names supported by different domain name registrars, web hosting service providers and payment gateways, be immediately seized and brought under the custody and control of this Court. It is also alleged by the plaintiff that software downloaded by the plaintiff on 2nd April 2009 clearly shows that except for the names of Company/identity everything is identical and product is also same and they are still in its possession of the infringed source code. The plaintiff argued that pertaining to this fraud and infringement an FIR No. RC 0006/07 with CBI registered under Section65of Information Technology Act 2000 and Section 63 read with Section14(6) (ii)of Copyright and Section381of Indian Penal Code has also been filed against the defendants. To support their case CBI has placed cyber forensic analysis report of the hard disk of the computer of Defendant dated 12/5/08 from CFSL, there by show-
ing that Defendant was found using and infringing the software of the plaintiff. the defendants argued that this is not a case of alleged misuse or theft of source code rather since both the plaintiff and defendants were using the same program i.e. Microsoft foundation classes, to make their own source code leading to final software products in question, it is but natural that both programs are bound to have certain alleged similarities in the visual lay out. Court held that plea taken by the defendants have no legal basis to stand and are not tenable and plaintiff is entitled to this relief since the defendants are continuing to sell the copied version and enjoying the benefits, he must deposit the proceeds of the same in the court. The Court can surely in a case of this kind, in fair exercise of its judicial discretion order for deposit of money pending decision of the suit for the purpose of doing justice or to prevent abuse of the process of the court. Section 66: Computer Related Offences - If any person, dishonestly, or fraudulently, does any act referred to in section 43, he shall be punishable with imprisonment for a term which may extend to two three years or with fine which may extend to five lakh rupees or with both. Explanation: For the purpose of this section,a) the word dishonestly shall have the meaning assigned to it in section 24 of the Indian Penal Code; b) the word fraudulently shall have the meaning assigned to it in section 25 of the Indian Penal Code. The basis of section 66 is lies with the section 43. It says that if any person, dishonestly or fraudulently, does any act written in the section 43, it will be considered as offence under this section. However important thing to be noted that if there is any lack of dishonestly or fraudulent act, it will amount to a civil wrong under section 43. Internet is a window to me. Well, it is a window to millions of users like me. This window brings in good inflow of knowledge, some sweet breeze of friendships, economic inflow for some, and also dusty wind which carries viruses. Even those, who do not access internet from their own computers, may bring to their own safe computers or to others computers
all these unwanted pollutions by secondary methods like CDs, Pen drives, Floppies etc. The Indian Information Technology Act recognizes two most prominent modes of polluting the computer under section 43, i.e introducing or causing to introduce computer contaminant and computer virus. Note that the mode is a two folded mode, i.e either directly introducing or causing to introduce. This direct or indirect operation includes introduction of any computer contaminant and/ or computer virus to the computer as a machine, computer system and the computer network as a whole. Distinguishing feature of computer contaminant and computer virus explanation to section 43 says under clause (i) that computer contaminant is a term which has been used to indicate any set of instruction which is designed to (a) modify, (b) destroy, (c) record, (d) transmit any data or programme residing within a computer . The term also includes any set of instructions which is designed by any means, to usurp the normal computer operations. This means that this provision penalizes any or the whole activity done in this course. Now, coming to the term computer virus, The legislation aforementioned in its explanation under clause (iii) clarifies what is meant by the term computer virus. It is explained as computer instruction, data or information or programmes that can either destroy, damage, degrade, adversely affect the computer functioning; or can attach itself to another computer resource and operate simultaneously when any data , instruction or programme is executed in that computer resource. The language of the legislation therefore indicates that computer virus can include computer contaminant too. Nonetheless, computer virus and computer contaminant could be the two prominent modes for hacking, besides monitoring and modifying the contents. Section 43 regulates such pollution of the computer (inclusive of computer contamination and polluting the computer through virus attack) by awarding pecuniary sanction of Rupees 1 Crore which the guilty person has to pay as compensation to the person affected as such. Court defines hacking in Abhinav Gupta Vs.State of Haryana6 The petitioner worked with Escorts as Manager Design. He
worked with Terex Vectra Equipment Private Limited as Manager, Designing for back Hoe Loader. Then he worked with JCB India Pvt. Ltd. as Manager Product Engineering (Design). He joined Escorts as Divisional Manager (Designs). The JCBI accepted his resignation and agreed to relieve him from his duties. He was relieved on the aforesaid date after he was given a final clearance by all the Departments of JCBI including I.T. Department. As per allegations in the FIR against him by JCBI containing the allegations that he was exposed to various confidential information, trade secrets of the company and has also confidential drawings, designs plans etc. of the complainant company. During the course of his exit interviewed with the Product Engineering Head, he categorically maintained that he would not be joining any company, which was in direct competition with JCBI and thus assured the Product Engineering Head that all intellectual property information and secrecy so attained by him during this tenure with JCBI would be confidential at all times. Later, the complainant came to know that after leaving the employment, the petitioner has joined Escorts Construction Equipments Ltd. which is a direct competitor of the complainant company. The Management of the complainant company was notified by the office security staff that some documents pertaining printouts of the E-mail message pertaing to private E-mail account of Abhinav Gupta being abhinavdeepti @ indiatimes.com were found in the premises of the complainant company, which revealed that these were the intellectual property of the complainant. Confidential information containing the confidential files data and designs of the complainant company from his official E-mail I.D. abhinavdeepti @ indiatimes.com. While in the employment of the complainant company and had actually sent/transmitted various confidential drawings including drawings for a Backhoe Bucket Link 40 tanks Fender Post leg Hydraulic rear post Boom-dipper WA drg. Etc. to recipients. By indulging in the aforesaid illegal and wrongful acts, he has committed the offence of hacking under Section66of the Act etc. Petitioner eloquently urged that since the petitioner was not given any laptop computer to carry out his work at home, it was a common practice that on Friday afternoon, the pending work used to be downloaded to the personal E-mail of the designer so that while at home he could access the same from his home PC. This
work culture was not only with the approval of the management but also was encouraged by them so that the weekends could be properly and effectively utilized by the designing team. The complainant arguments that during the course of his employment with the complainant company, the petitioner used to down load the confidential trade secrets of the complainant on his local PC and upload the same on his personal E-mail I.D. being abhinavdeepti @ indiatimes.com. and thus, prima facie the offence is made out against him. The allegation against the petitioner is that he indulged into hacking. Hacking means unauthorized access to computers. When a person destroys or deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means with intent to cause or knowing that he is likely to cause wrongful loss or damage to the public or any person, he is said to have committed an offence of hacking under Section66of the Act. The person, who commits an offence of hacking is called hacker. Hacker is a person who intends to gain unauthorized access to a computer system. Hacker shall be punished with imprisonment upto three years, or with fine which may extend upon two lakh rupees, or with both. Court held Jargon Dictionary traces the origin of the term hacker to some one who makes furniture with an axe and the term has been used for the first time in 1960s as a badge by hacker culture surrounding the Tech Model Railroad Club (TMRC) at Massachusetts Institute of Technology when its members began to work with computers. The word hacker represents now any person (a) who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary (b) who programmes enthusiastically (c) who enjoys programming rather than just theorizing about programming (d) capable of appreciating hack value, which is defined as the reason or motivation for expending effort toward a seemingly useless goal, the point being that the accomplished goal is a hack (e) who is good at programming quickly (f) who is an expert at a particular programme or one who frequently does work using it or on it. Websters Dictionary defines the term hacker as a computer enthusiast who enjoys learning everything about a computer system
or network and through clever programming, pushing the system to it highest possible level of performance. A hacker is a computer expert whose intrinsic curiosity persuades him to break in computers. Hacking is computer trespass. To make hacking an offence dependents on mensrea. Based on the intention, hackers are divided into two groups : (1) Hackers who have no intent to do any criminal activity. These hackers do not consider breaking into a computer system a crime. They consider themselves members of an elite meritocracy based on ability and trade hacker techniques. They are skilled computer users who penetrate computer system, with a sole purpose to gain knowledge about computer system and their actual working, (2} Crackers who intend to engage in criminal activity. This dichotomy of hacker and cracker has come on the scene in 1985 to distinguish between benign hackers from hackers who have malicious intention. Crackers maliciously sabotage computers, steal information located on secure computers, and cause disruption to the networks for personal or political motives. Computer break-ins have been on the rise. For a cyber crime to fall under Section66of the Act, one must observe whether criminal intent was present or not. An act is intentional if it exists in idea before it exists in fact. Hacking signifies mischief with the computer resource. It is a mischief regarding destruction or alteration of any information residing in a computer resource. Section66of the Act defines hacking activity in a comprehensive manner. It takes hacking activity exclusively associated with the computer resource. The essentials of hacking are: a. Whoever b. Intention or knowledge c. Causing wrongful loss or damage to the public or any person d. Destroying or altering any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means. It involves an invasion of right and diminution of the value or utility of ones information residing in a computer resource. The hacker must have contemplated this when he hacked a computer resource. Hacking involves mental act with destructive animus. Adverting to the facts of the instant case, a glance through the
screen shots would reveal that abhinavdeepti @ india-times.com. isthe ID of Abhinav Gupta petitioner at Yahoo. He has sent all the data to this ID. A meticulous perusal would reveal that the petitioner has transferred the attachment of Back Hoe Link drawings to his ID abhinavdeepti @ indiatimes.com. It is his own plea that he was not provided any laptop computer to carry out his work at home and on Friday afternoon the pending work used to be downloaded to his personal E-mail ID. There is nothing on the record to show that he was allowed to do so by the competent authority of the complainants company. As per his appointment letter, during the course of his employment with the complainant, he was not to divulge any information of a confidential nature relating to the business of the company or any associated company, except in case of necessity for the purpose of carrying out duties. There is no gain saying the fact that he was relieved from his duty, whereas the confidential data was sent on different dates in the Month of February, 2008 at different times. Assuming that the petitioner used to down load the pending work to his personal E-mail, even so, where was the occasion for him to send the confidential secrets of the complainant to the outsiders after he had left the service of the company. In view of the conditions imposed upon him by his appointment letter, he was obligated to delete such data from his PC before he relinquished the charge. There is no denying the fact that the petitioner was using the companys computer system and computer network and in that course he learnt about the confidential trade secrets being in the designs and drawings, Engineering department of the complainant. It is also alleged against him that on perusal of his mail archieve within the confidential wing of the company, it was detected that he used to send mails on various subject-matters to E-mail ID being abhinavdeepti @ indiatimes.com. which fact is corroborated by printouts. However the court declined the anticipatory bail. KoshyVs. State of Kerala7 Court held that the offence under Sections65and66of the Information Technology Act is bailable in view of Section 77B of the Information Technology Act. Section 77B was introduced by the Information Technology (Amendment) Act, 2008 (Act 10 of 2009). Section 77B provides that notwithstanding anything contained in the Code of Criminal Procedure, 1973, the offence punishable with
imprisonment of three years and above shall be cognizable and the offence punishable with imprisonment of three years shall be bailable. The complainant, M/s Jay Polychem (India) Limited, is primarily engaged in the business of trading and distribution of petrochemicals in India and overseas. The Company has a foreign clientele. The Company has a web site, namely, www.jaypolychem.com. On 30.11.2009, one of the Directors of the Company noticed a web site under the name and style www.jaypolychem.org containing defamatory and malicious contents against the Company and its Directors. That web site was neither created nor set up by the Company. It is alleged that the same was set up by Samdeep Mohan Varghese @ Sam, a disgruntled and dismissed employee of the Company, in conspiracy with Amardeep Singh @ Amy, who was also an employee of the Company and certain other persons such as Preeti and Charanjeet Singh @ Channi and the sister and brother-in-law of Sam, who are based in Cochin. They did so with a view to cause wrongful loss to the Company and wrongful gain to them. They did so as a result of the collusion and conspiracy among them. It is alleged that the accused persons sent various emails from fake email accounts to many of the customers of the Company. The said defamatory emails were made with a view to cause loss of reputation and loss to the Company and its Directors. The defamation campaign run by the accused persons had caused immense damage to the name and reputation of the Company. The Company had suffered loss of several crores of rupees. It is alleged that Samdeep Mohan Varghese and Amardeep Singh, in collusion with the other accused, had impersonated different individuals and had used forged electronic records, created false email accounts, sent false and offensive information causing loss to the Company and had deceived the addressees. It is alleged that Samdeep Mohan Varghese had been passing on and exchanging confidential information of the Company to the other accused and third parties and those persons include his sister and brotherin-law. The sister and brother-in-law of Samdeep Mohan Varghese had financed a trip to Amardeep Singh and his wife to Cochin and Munnar. Court held there cannot be any doubt that this Court has jurisdiction to entertain the Bail Application and grant appropriate relief.
The next question to be considered is whether the petitioners are entitled to the reliefs prayed for. The petitioners are doctors. They are working at Ernakulam. They have permanent abode. It cannot be believed that they would make themselves scarce, if bail is granted. The petitioners have expressed their readiness to cooperate with the investigation. They even expressed their willingness for a search of their residence and office premises pending consideration of the Bail Application. There was an attempt to arrest the first petitioner. It is stated that he was dragged out from the hospital where he was working. The interim order passed by this Court was in force at that time. The warrant for arrest specifically states that the accused shall not be arrested if an order of the nature mentioned therein is produced by the accused. The first petitioner states that though he produced the interim order passed by this Court, the police officer from Punjab tried to arrest him and humiliate him. Court held that the petitioners are entitled to relief in this Bail Application. In NiravNavinbhai Shah and Ors. Vs. State of Gujarat and Anr.8; The accused No. 1 hacked with the help of the other accused the complainants computers and stole important data. The offence was investigated and report came to be filed by police. The complainant and three other witnesses have already been examined. It is stated in this application that in the meanwhile some settlement was arrived at between the parties to end all civil as well as criminal litigations pending between them in various courts including court in United Kingdom. During the course of submissions, an affidavit of Respondent No. 2, Shri Sunil V . Pindoria - original complainant and the Director of the I-Serve Systems Pvt. Ltd. stating that settlement has been arrived at between the parties and he and his Company were interested in quashing the criminal proceedings as it would serve the ends of justice. The same is ordered to be taken on record. The Respondent No. 2 have submitted that in view of the aforesaid facts and circumstances, the continuation of criminal proceedings would not serve any useful purpose and rather it would result into unnecessary consternation to the parties having adverse effect upon their entire settlement where under all the civil and criminal cases are agreed to be concluded and ended amicably. Court held The alleged hacking is perpetrated on the Complainants Computer System only which said to have data per-
taining to its client. The Counsels have submitted that on some of the web sites these data are already available. The dispute appears to be private in nature. The offence alleged is not strictly affecting or infringing any other individual or citizen. Thus looking to the nature of the disputes, it can well be said that continuation of the same is not in interest of justice. The continuation of Criminal Proceedings would result into rather miscarriage of justice and hence its deserve to be quashed. Simon Dunolz and Others Vs.State of Uttarakhand9 The appeal, preferred under Section374of Code of Criminal Procedure, 1973 is directed against judgment and order dated 18.5.2010. passed by Sessions Judge, TehriGarhwal in Sessions Trial No. 18 of 2008. whereby said Court has convicted appellants namely Simon Dunolz. Belive and Ms. Christina Chakchuvak under Section420read with Section120B, Indian Penal Code, 1860 and each one of them has been sentenced to rigorous imprisonment for a period of six years and directed to pay fine of 25,000. Accused-appellant Simon Dunolz has been further convicted under Section14of Foreigner Act. 1946 and sentenced to rigorous imprisonment for a period of four years and directed to pay fine off 25,000.Heard Learned Counsel for the parties.perused the lower courts record. Ms. Swati Maindola is resident of Rishikesh, who used to work as Finance Assistant in Hotel Ananda, Narendra Nagar. On 4.10.2007, she received an electronic mail in her mail I.D.-swatiforever02@ yahoo.com from mail I.D. holder nationaldesk@earthlink.net. In said mail complainant Swati Maindola was informed that she has won a lottery of 2,50,000 (pound two lakh fifty thousand only), and she was advised to get in touch with Mark White on his e-mail address verification-claimagent71@yahoo.Com; to claim her money. In response to said mail complainant sent her complete address whereafter, she was advised to get in touch with one Mr. John Finch, a Dispatch Officer, on his e-mail I.D. world courier-express delivery III @yahoo.Companyuk with phone number +44-701-11130078 or + 40-702-408-2934, fax number + 44-8704788143. On getting in touch with Mr. John Finch, complainant was informed that she is allotted order number D28928806, and she was asked to accept one of the four options, in reply to which she opted for wire transfer service for which she was asked to deposit Rs. 1,75,500 (rupees one lakh seventy five thousand five hundred
only) to the payment officer one Mr. Vincent Clarke having mobile No. 9987388366. When Swati Maindola contacted Mr. Clarke, he advised her to deposit money on a particular account number of I.C.I.C.I. Bank. The complainant went on depositing the amount time to time asked by the persons mentioned above, but she did not get any prize money. On 21.11.2007, a call was received from one David William through mobile No. 9920650094 who told her that he is coming to India and the lottery prize money will have to be cleared at the air port for which the complainant was asked to deposit further f 1,20.000 (rupees one lakh twenty thousand only). This was also done by her. On 22.11.2007, David William reached Rishikesh and stayed in Hotel Gangakinare where he showed to the complainant a parcel containing three bundles of green notes. David William made the complainant believe that the bundles contained genuine currency in dollars. On 23.11.2007, he told that since Mr. Clarke has been arrested in Delhi as, such he needed further (`) 33,000 (rupees thirty three thousand only) for bringing some solution required to be used to clean the currency notes. However, on 14.12.2007, though Dr. George came to Rishikesh but returned on the same day. On smelling rat complainant enquired from her officer of Ananda Hotel where she works as Finance Assistant, about the incident who told her that she has been cheated. On this the complainant Swati Maindola lodged first information report on 19.12.2007 at Police Station NarendraNagar, district TehriGarhwal against the three accused namely David William, Vincent Clarke and Dr. George. On the basis of the first information report lodged by Swati Maindola Crime No. 2082 of 2007 was registered against above three accused relating to offences punishable under Sections 406, 420, 235 and 120B, I.P .C. and one punishable under Section43/45/66/74of Information Technology Act, 2000. The crime was investigated by the Circle Officer ShriSurjeet Singh Panwar, and a team for investigation was constituted. Station House Officer Rameshwar Prasad Sati was also one of the members of said team. The Investigating agency put the mobile numbers disclosed by the complainant, belonging to the accused, on surveillance in Delhi, Mumbai and Bangalore. The team (of investigating agency) proceeded for Delhi to locate Dr. George. However, Dr. George failed to turn up at the places where he was asked to collect the money
further demanded by him. On 22.12.2007. Dr. George sent three persons (two men and one woman) to Rishikesh for collecting money regarding which complainant gave necessary information to the investigating team. The said three persons are the present appellants namely Simon Dunolz, Belive and Christina who were arrested by the police near Tapowan crossing within the limit of Police Station Munikireti, district TehriGarhwal. On arrest of the three accused (present appellants) they disclosed their identity. The two men are the Nigerian nationals and the third woman accused is Indian national from Assam. The investigating agency recovered mobile phones and some Indian and U.S. currency from the appellants regarding which memorandum of recoveries were made. The investigating agency also recovered the solution and other materials used by accused for making fake foreign currency notes and prepared necessary recovery memos. After collecting the evidence and on completion of investigation. Investigating Officer submitted charge-sheet against the accused/appellants, for their trial in respect ofoffences punishable underSections406,220,235,120B,489,489A,489B, I.P .C., under Sections 43J.45.66and74, Information Technology Act and under Section14of Foreigner Act (other three accused namely Dr. George, Vincent Clarke and David William were shown as absconding suspected and wanted accused). On receipt of charge-sheet by the Chief Judicial Magistrate, TehriGarhwal the case was committed to the Court of Sessions for trial, after giving necessary copies as required under Section 207, Cr. P .C. After hearing the parties on 24.10.2008. The Sessions Judge framed charge of offences punishable under Sections120B,420,231,235.489A, I.P .C. and one punishable under Section 43 and Section 45 of Information Technology Act, 2000 read with Section120B. I.P .C. on 3.11.2008 against the three accused Simon Dunolz, Belive and Christina Chakchuvak, to which all the three accused pleaded not guilty and claimed to be tried. An additional charge was framed on the same day (3.11.2008) by the Sessions Judge in respect of offence punishable under Section14, Foreigners Act against the accused Dunolz to which also he pleaded not guilty and claimed to be tried. The oral and documentary evidence was put to the accused under Section313of Cr. P .C. in reply to which they pleaded ignorance and alleged that evidence adduced against them is false. Accused
Simon Dunolz alleged that he was arrested actually on 21.12.2007 at Delhi. Similar statements were made by accused Belive. Accused Christina also made similar statement under Section313, Cr. P .C. in reply to evidence adduced against her. However, no evidence in defence was adduced. However, the trial court found that the offences punishable under Setions420/120B,231/120B,235/120B,489A/120B,489B/120B, I.P .C. and one punishable under Section 43/120B and Section45/120Bof Information Technology Act, 2000 were not proved on the record against any of the three accused/appellants. On behalf of the appellants, it is argued that the investigating team has neither recorded the statements of the bank officials regarding the deposits made by the complainant nor the A.T.M. and chequebooks used in the crime were recovered. It is contended that in such circumstance it cannot be said that the prosecution has proved the charge beyond reasonable doubt. this Court has gone through the entire evidence on record and re-appreciated the same, and it is of the view that even after abovementioned lapse on the part of the investigating agency, the charge against the accused/ appellants stands proved on the record. Next submission made on behalf of the accused/appellants by the counsel for the appellants is that the SIM cards and mobiles were not sealed in the manner they were required to be sealed under the law. It is also argued that the tampering in the mobile phones cannot be ruled out. I have considered above submission of the Learned Counsel for the appellants and in my opinion, had it been a case of only circumstantial evidence, it could have been said that for the want of proper sealing of the SIM, charge stood not proved, but in the present case, apart from the recoveries made, there is ample direct evidence and documentary evidence of e-mails, which otherwise also proves the charge on record against the accused. For the reasons as discussed above this Court does not find sufficient force in this appeal which is liable to be dismissed. Accordingly, the appeal is dismissed. Conviction and sentence recorded by the trial court against the accused-appellants Simon Dunoiz, Belive and Christina Chakchuvak Is affirmed. Section 66A: Punishment for sending offensive messages through communication service, etc. Any person who sends, by means of a computer re-
source or a communication device,a. Any information that is grossly offensive or has menacing character; or b. Any information which he knows to be false, but for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred, or ill will, persistently makes by making use of such computer resource or a communication device; c. any electronic mail or electronic mail message for the purpose of causing annoyance or inconvenience or to deceive or to mislead the addressee or recipient about the origin of such messages, shall be punishable with imprisonment for a term which may extend to two three years and with fine. Explanation: For the purposes of this section, terms Electronic mail and Electronic Mail Message means a message or information created or transmitted or received on a computer, computer system, computer resource or communication device including attachments in text, image, audio, video and any other electronic record, which may be transmitted with the message.10 Section 66A of the Information Technology Act, which prescribes punishment for sending offensive messages through communication service, etc. is widely held by lawyers and legal academics to be unconstitutional. Section 66A which punishes persons for sending offensive messages is overly broad, and is patently in violation of Art. 19(1)(a) of our Constitution. The fact that some information is grossly offensive (s.66A(a)) or that it causes annoyance or inconvenience while being known to be false (s.66A(c)) cannot be a reason for curbing the freedom of speech unless it is directly related to decency or morality, public order, or defamation (or any of the four other grounds listed in Art. 19(2)). It must be stated here that many argue that John Stuart Mills harm principle provides a better framework for freedom of expression than Joel Feinbergs offence principle. The latter part of s.66A(c), which talks of deception, is sufficient to combat spam and phishing, and hence the first half, talking of annoyance or inconvenience is not required. Additionally, it would be beneficial
if an explanation could be added to s.66A(c) to make clear what origin means in that section. Because depending on the construction of that word s.66A(c) can, for instance, unintentionally prevent organisations from using proxy servers, and may prevent a person from using a sender envelope different from the from address in an e-mail (a feature that many e-mail providers like Gmail implement to allow people to send mails from their work account while being logged in to their personal account). Furthermore, it may also prevent remailers, tunnelling, and other forms of ensuring anonymity online. This doesnt seem to be what is intended by the legislature, but the section might end up having that effect. This should hence be clarified. A large part of s.66A can be traced back to s.10 (2) of the UKs Post Office (Amendment) Act, 1935: If any person (a) sends any message by telephone which is grossly offensive or of an indecent, obscene, or menacing character; or (b) sends any message by telephone, or any telegram, which he knows to be false, for the purpose of causing annoyance, inconvenience, or needless anxiety to any other person; or (c) persistently makes telephone calls without reasonable cause and for any such purposes as aforesaid; he shall be liable upon summary conviction to a fine not exceeding ten pounds, or to imprisonment for a term not exceeding one month, or to both such fine and imprisonment. Section 66A bears a striking resemblance to the three parts of this law from 1935, with clauses (b) and (c) being merged in the Indian law into a single clause (b) of s.66A, with a whole bunch of new purposes added. Interestingly, the Indian Post Office Act, 1898, was never amended to add this provision. The differences between the two are worth exploring. The first major difference is that the maximum term of imprisonment in the 1935 Act is only one month, compared to three years in s.66A of the IT Act. It seems the Indian government decided to subject the prison term to hyper-inflation to cover for the time. If this had happened for the punishment for, say, criminal defamation, then that would have a jail term of up to 72 years. The current equivalent laws in the UK are the Communications Act, 2003 (s. 127) and the Malicious Communications Act 1988 (s.1) for both of which the penalty is up to 6 months imprisonment or to a maximum fine of
5000 or both. Whats surprising is that in the Information Technology (Amendment) Bill of 2006, the penalty for section 66A was up to 2 years, and it was changed on December 16, 2008 through an amendment moved by Mr. A. Raja (the erstwhile Minister of Communications and IT) to 3 years. Given that parts of s.66A(c) resemble nuisance, it is instructive to note the term of punishment in the Indian Penal Code (IPC) for criminal nuisance: a fine of Rs. 200 with no prison term. Sending vs. Publishing Interesting point is that the IT Act uses send as part of its wording, and not publish. Given that, only messages specifically directed at another would be included. While this is an interesting proposition, it cannot be accepted because: (1) even blog posts are sent, albeit to the blog servers s.66A doesnt say who it has to be sent to; (2) in the UK the Communications Act 2003 uses similar language and that, unlike the Malicious Communication Act 1988 which says sends to another person, has been applied to public posts to Twitter, etc.; (3) The explanation to s.66A(c) explicitly uses the word transmitted, which is far broader than send, and it would be difficult to reconcile them unless send can encompass sending to the publishing intermediary like Twitter. Part of the narrowing down of s.66A should definitely focus on making it applicable only to directed communication (as is the case with telephones, and with the UKs Malicious Communication Act), and not be applicable to publishing. Section 66A(a) The term menacing character in this section means (i) showing intention to inflict harm or threat, or (ii) one that represents a threat i.e. danger or to act in a threatening manner. Following activities could be brought under this section such as e-mail frauds, ATM frauds, wire fraud, file sharing and privacy, counterfeiting and forgery. In s.66A(a), the question immediately arises whether the information that is grossly offensive or menacing need to be addressed at someone specific and be seen as grossly offensive or menacing by that person, or be seen by a reasonable man test. Additionally, the term grossly offensive will have to be read in such a heightened manner as to not include merely causing offence. The one other place where this phrase is used in Indian law is in s.20(b) of the Indian Post Office Act (prohibiting the sending
by post of materials of an indecent, obscene, seditious, scurrilous, threatening, or grossly offensive character). The big difference between s.20(b) of the IPO Act and s.66A of the IT Act is that the former is clearly restricted to one-to-one communication (the way the UKs Malicious Communication Act 1988 is). Reducing the scope of s.66A to direct communications would make it less prone to challenge. Additionally, in order to ensure constitutionality, courts will have to ensure that grossly offensive does not simply end up meaning offensive, and that the maximum punishment is not disproportionately high as it currently is. Even laws specifically aimed at online bullying, such as the UKs Protection from Harassment Act 1997, can have unintended effects. As George Monbiot notes, the first three people to be prosecuted under [the Protection from Harassment Act] were all peaceful protesters. Section 66A(b) Section 66A(b) has three main elements: (1) that the communication be known to be false; (2) that it be for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred or ill will; (3) that it be communicated persistently. The main problem here is, of course, (2). Annoyance and inconvenience, insult, ill will and hatred are very different from injury, danger, and criminal intimidation. If any person sends information to another person, by means of a computer resource or a communication device, which he knows to be false, but he sends such information for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred or ill will, by making use of such computer resource or a communication device he shall be liable to punish. That a lawmaker could feel that punishment for purposes this disparate belonged together in a single clause is quite astounding and without parallel (except in the rest of the IT Act). Thats akin to having a single provision providing equal punishment for calling someone a moron (insult) and threatening to kill someone (criminal intimidation). While persistent false communications for the purpose of annoying, insulting, inconveniencing, or causing ill will should not be criminalised (if need be, having it as a civil offence would more than suffice), doing so for the purpose of caus-
ing danger or criminal intimidation should. However, the question arises whether you need a separate provision in the IT Act for that. Criminal intimidation is already covered by ss. 503 and 506 of the IPC. Similarly, different kinds of causing danger are taken care of in ss.188, 268, 283, 285, 289, and other provisions. Similarly with the other purposes listed there, if, for instance, a provision is needed to penalise hoax bomb threats, then the provision clearly should not be mentioning words like annoyance, and should not be made persistent. (At any rate, s. 505(1) of the IPC suffices for hoax bomb threats, so you dont need a separate provision in the IT Act). I would argue that in its current form this provision is unconstitutional, since there is no countervailing interest in criminalising false and persistent insults, etc., that will allow those parts of this provision to survive the test of reasonableness under Art.19(2). Furthermore, even bits that survive are largely redundant. While this unconstitutionality could be cured by better, narrower wording, even then one would need to ensure that there is no redundancy due to other provisions in other laws. Section 66A(c) Section 66A(c) was also inserted through an amendment moved by Mr. Raja on December 16, 2008, which was passed by the LokSabha on December 22, 2008, and a day after by the RajyaSabha. (The version introduced in Parliament in 2006 had only 66A(a) and (b).) This was done in response to the observation by the Standing Committee on Information Technology that there was no provision for spam. Hence it is clear that this is meant as an anti-spam provision. However, the careless phrasing makes it anything but an anti-spam provision. If instead of for the purpose of causing annoyance or inconvenience or to deceive or to mislead the addressee or recipient about the origin of such messages it was for the purpose of causing annoyance and inconvenience and to deceive and to mislead the addressee or recipient about the origin of such messages, it would have been slightly closer to an anti-spam provision, but even then doesnt have the two core characteristics of spam: that it be unsolicited and that it be sent in bulk. (Whether only commercial messages should be regarded as spam is an open question.) That it arise from a duplicitous origin is not a requirement of spam (and in the UK, for instance, that is only an aggravating factor for what is already a fine-able activity). Curiously, the definitional problems do not stop there, but
extend to the definitions of electronic mail and electronic mail message in the explanation as well. Those are so vast that more or less anything communicated electronically is counted as an e-mail, including forms of communication that arent aimed at particular recipients the way e-mail is. Hence, the anti-spam provision does not cover spam, but covers everything else. This provision is certainly unconstitutional. Genealogy of UK Law on Sending Indecent, Menacing, Grossly Offensive Messages,11 may be traced back to s.10(2)(a) of the Post Office (Amendment) Act, 1935, which made it an offence to send any message by telephone which is grossly offensive or of an indecent, obscene or menacing character. That subsection was reproduced with no change save of punctuation in s.66(a) of the Post Office Act 1953. It was again reproduced in s.78 of the Post Office Act 1969, save that by means of a public telecommunication service was substituted for by telephone and any message was changed to a message or other matter. Section 78 was elaborated but substantially repeated in s.49(1)(a) of the British Telecommunications Act 1981 and was re-enacted (save for the substitution of system for service) in s.43(1)(a) of the Telecommunications Act 1984. Section 43(1)(a) was in the same terms as s.127(1)(a) of the 2003 Act, save that it referred to a public telecommunication system and not (as in s.127(1)(a)) to a public electronic communications network. Sections 11(1)(b) of the Post Office Act 1953 and 85(3) of the Postal Services Act 2000 made it an offence to send certain proscribed articles by post. While the above quotation talks about S.127(1) it is equally true about S.127(2) as well. In addition to that, in 1988, the Malicious Communications Act (s.1) was passed to prohibit one-to-one harassment along similar lines. The UKs Post Office Act was eclipsed by the Telecommunications Act in 1984, which in turn was replaced in 2003 by the Communications Act. Provisions from the 1935 Post Office Act were carried forward into the Telecommunications Act (s.43 on the improper use of public telecommunication system), and subsequently into s.127 of the Communications Act (improper use of public electronic communications network). Section 127 of the Communications Act states: 127. Improper use of public electronic communications network
(1) A person is guilty of an offence if he (a) sends by means of a public electronic communications network a message or other matter that is grossly offensive or of an indecent, obscene or menacing character; or (b) causes any such message or matter to be so sent. (2) A person is guilty of an offence if, for the purpose of causing annoyance, inconvenience or needless anxiety to another, he (a) sends by means of a public electronic communications network, a message that he knows to be false, (b) causes such a message to be sent; or (c) persistently makes use of a public electronic communications network. (3) A person guilty of an offence under this section shall be liable, on summary conviction, to imprisonment for a term not exceeding six months or to a fine not exceeding level 5 on the standard scale, or to both. (4) Subsections (1) and (2) do not apply to anything done in the course of providing a programme service (within the meaning of the Broadcasting Act 1990 (c. 42)). Currently in the UK there are calls for repeal of s.127. In a separate blog post I will look at how the UK courts have read down the provisions of s.127 and other similar laws in order to be compliant with the European Convention on Human Rights. Section 66-B: Punishment for dishonestly receiving stolen computer resource or communication deviceWhoever dishonestly receives or retains any stolen computer resource or communication device knowing or having reason to believe the same to be stolen computer resource or communication device, shall be punished with imprisonment of either description for a term which may extend to three years or with fine which may extend to rupees one lakh or with both.12 There is a difference between section 66 and section 66 B. when any person dishonestly or fraudulently, does any act referred to in section 43, his act will be an offence under section 66, whereas when any person dishonestly receives or retains any stolen computer resource or communication device, knowing or having reason to believe that the same is stolen computer resource or communication device, his act will be an offence under section 66B. The offence
under section 66 is more of serious nature then in section 66B. In addition to first condition of receiving or retaining any stolen computer resource or communication device dishonestly, he must have received it knowingly. Section 66-C: Punishment for identity theft- Whoever, fraudulently or dishonestly make use of the electronic signature, password or any other unique identification feature of any other person, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to rupees one lakh.13 This section says that when a person frequently or dishonestly make use of the identity of any other person, he shall be deemed to have committed the offence of the identity theft. Identity theft could be theft of electronic signature, theft of computer password or any other identification feature. In todays society, you often need to reveal personal bits of information about yourself, such as your aadhar number, signature, name, address, phone number, cell number or even banking and credit card information. If a thief is able to access this personal information, he or she can use it to commit fraud in your name. Armed with your personal information, a malicious person could do any number of things, like apply for loans or new credit card accounts. Its possible they could request a billing address change and run up your existing credit card without your knowledge. A thief could use counterfeit checks and debit cards or authorize electronic transfers in your name and wipe out funds in a bank account. Identity theft can also go beyond a monetary impact. Thieves can use your information to obtain a drivers license or other documentation that would display their photo but your name and information. With these documents thieves could to obtain a job and file fraudulent income tax returns, apply for travel documents, file insurance claims, or even provide your name and mailing address to police and other authorities if involved in other criminal activities. The outcome of identity theft is usually the same, regardless of how the thief obtains your information. However, the Internet is providing new ways for people to steal your personal information and to commit fraud. Thieves can accomplish their goal several ways such as using Internet chat rooms and spreading Trojan horses
that drop key loggers on your computer to transmit any passwords, usernames and credit card numbers you use on your computer back to the thieves. Many online businesses today also store personal information about customers and shoppers on websites, and this provides another way for your personal information to be accessed, without your permission or knowledge. Additionally, email phishing is another way that thieves can attempt to gather your personal information. Phishing emails falsely claim to be an established legitimate enterprise in an attempt to scam you into surrendering private information that will be used for identity theft. The email will direct you to visit a website where youre asked to update personal information, such as passwords and credit card, social security, and bank account numbers information the legitimate organization already has. The website, however, is bogus and set up only to steal your information. Internet-based identity theft is a problem and it makes people hesitant about making a purchase online, or signing up for what others consider everyday occurrences such as creating a PayPal account, purchasing from ecommerce sites, using auction sites or even using Internet banking and checking credit card statements online. The most effective deterrent to digital forgery is stunningly simple -- when you get (and later use) your digital ID, someone needs to make sure that you are who you say you are, just as if you were applying for a passport. Clicking an I agree button on a Web page or a software installation screen becomes equivalent to signing a contract. You know that annoying screen of boilerplate you see when you install software, and you have to click a button to get past that screen and complete the installation? Now that boilerplate will be a binding contract, an electronic signature, and you sign it by clicking the button. But when the stakes are higher -- when youre getting a paperless mortgage or buying a used car on eBay -- youll probably use a digital signature with public-key cryptography. This process relies on two related, long numbers. One number is called a public key, which is kept by a third party called a certificate authority that guarantees that the key belongs to you and posts it on the Internet. The other is your private key, which you keep secret. Either key can be used to electronically scramble an electronic document -- an e-mail, say, or a contract, a bill payment or a stepby-step plan for a hostile business takeover -- and only the other key
can unscramble it. If someone wants to send you a document that only you can read, they scramble it using your public key and send it to you. Only your secret, private key can make it readable. If you want to prove that a document comes from you and not from an impostor, you can scramble it using your secret, private key -- and only your public key can make it readable. As a bonus, no one can alter the document in the slightest way without making it permanently unreadable. Security can break down because a private key wont simply be something you memorize. The long number will reside on something you carry -- something that can be stolen. Your private key might be stored on a smart card or in a key fob that can be plugged into a computers USB port. Youll sign by whipping out your smart card or key fob, plugging it into a reader, then entering a personal identification number. Your private key, then, might be about as secure as your ATM card and PIN. Pretty secure, but not foolproof, especially if you have flouted common sense and have written down your PIN where someone can find it. As a security measure, the maker of a smart card can set it to self-destruct if someone types in the wrong PIN several times in a row. Fortunately, if someone steals the smart card or key fob that stores your private key, you can revoke your public key. The private key will still work, but by revoking the public key, youre announcing that no one should rely on it (and no, revoking your public key will not make a post-revocation signature automatically worthless). If an impostor uses your private key, its up to the person dealing with that impostor to check if the public key has been revoked. What are the odds that every single person about to accept your digital signature will bother checking the revocation lists? When you apply for your digital ID and get that smart card or key fob in return, someone is supposed to verify that you are who you say you are. Then the certificate authority keeps track of public keys that have been revoked. Samdeep Varghese Vs.State of Kerala and Ors.14 Applications seeking anticipatory bail are filed by the 1st and 6th accused in a crime registered at Rajpura City Police Station in Punjab. The offences alleged against the accused in the said crime are under Sections 65, 66, 66A, C and D of the Information Technology Act and Sections 419 and 420 of the IPC.
Earlier the sister and brother-in-law of the 1st accused had moved application for anticipatory bail before the High Court of Kerala and they had been granted. The bail application is filed stating that the Petitioners apprehended arrest within the territorial jurisdiction of the High Court of Kerala. The applications are opposed by the Additional Advocate General of the High Court of Punjab on the ground that the High Court of Kerala did not have jurisdiction to have entertain the application, as the alleged offences were committed within the jurisdiction of the High Court of Punjab. The learned Single Judge after a detailed consideration of the precedents on the point concurred with the earlier judgments of the Kerala High Court, wherein it was held that the High Court within the territorial jurisdiction of which a person apprehends arrest is also entitled to grant anticipatory bail. The learned Single Judge further held that the warrant issued under Section 73 of the Code of Criminal Procedure, by the Magistrate Court at Rajpura for procuring the presence of the accused before the Investigating Officer for aiding the investigation, is not proper. It was held that though a warrant can be issued by the Magistrate Court under Section 73, during the course of investigation also, such warrant shall be issued only for procuring a presence of the person before the Court and not before the Investigating Officer or Police, for aiding investigation. On facts, learned Single Judge found that the 1st accused, who is employed at Singapore cannot contend that he apprehends imminent arrest within the territorial jurisdiction of the High Court of Kerala and hence the application filed by the 1st accused is dismissed. As far as the 6th accused is concerned, the learned Single Judge found that she is entitled that there are only vague allegations against her and being a permanent resident at Kochi, who apprehends imminent arrest, the 6th accused is entitled for anticipatory bail; Satinderjit Singh Vs. State of Punjab15 This is an application seeking anticipatory bail in case FIR No. 146, dated 19.05.2010, under Section420of the Indian Penal Code and Section66of Information Technology Act, registered at Police Station Nakodar, District Jalandhar. As per the Petitioner, even if prosecution story is accepted that Petitioner has wrongfully used password of the complainant
company, at the most offence under Section66C of the Information Technology Act can be said to have been made out against the Petitioner, which is bailable. The Investigating Officer states that Sections420,408,406IPC have also made against the Petitioner which is non-bailable. Without expressing any opinion on the point as to whether provisions of the Indian Penal Code can be invoked and even when offence is covered by the Information Technology Act, order dated 23.07.2010 is made absolute. Petitioner shall keep on participating in the investigation as and when he is required to do so by the Investigating Officer. Petition stand disposed of accordingly. Section 66-D: Punishment for cheating by personation by using computer resource - Whoever, by means of any communication device or computer resource cheats by personation, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to one lakh rupees.16 Whoever, by means for any communication device or computer resource cheats by personating, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to one lakh rupees. Say for example A receives an email that appears to have been sent from a famous online shopping website in India. Email promises her to an iPod at a discounted price if she pays Rs. 500 as a deposit amount. Attracted by the offer, he visited a link specified in the email and it redirected her to a webpage where she entered her net-banking username, password and other information. In reality, the email as well as website was fake and her information is stolen and misused. Investigations revealed that the fake email and website was created by B. He would be liable under this section. There are three aspects to this section 1. It needs to be proved that the person is cheated Cheating is defined under Section 415 of the Indian Penal Code. It reads as Whoever, by deceiving any person, fraudulently or dishonestly induces the person so deceived to deliver any property to any person, or to consent that any person shall retain any property, or intentionally induces the person so deceived to do or omit to do anything which he would not do or omit if he were not so deceived,
and which act or omission causes or is likely to cause damage or harm to that person in body, mind, reputation or property, is said to cheat. Explanation A dishonest concealment of facts is a deception within the meaning of this section. 2. It must be cheating by personation Cheating by personation is defined under Section 416 of the Indian Penal Code. It reads as A person is said to cheat by personation if he cheats by pretending to be some other person, or by knowingly substituting one person for another, or representing that he or any other person is a person other than he or such other person really is. Explanation The offence is committed whether the individual personated is a real or imaginary person. 3. Cheating by personation must be by using any communication device or computer resource. However E-personation is a growing trend. It occurs when thieves, scam artists, or people who want revenge use the Internet to pretend to be someone elseeither by creating a fake Facebook or web profile, or by communicating via email with third parties while pretending to be someone else. In some cases, the object is to defraud, perhaps in order to gain confidential information. For instance, a thief might pretend to be someones distressed parent or friend who has been robbed on vacation, in order to convince his target to wire him money. In other cases, the objective is to bully. For a instances, a person might create a fake online profile of the targeted person in order to damage his or her reputation. Jilted boyfriends or girlfriends, for example, might create profiles of their exes on dating or social networking sites and then, pretending to be the ex, post remarks or photos that portray the ex in a bad light. Samdeep Varghese Vs.State of Kerala and Ors.17 Applications seeking anticipatory bail are filed by the 1st and 6th accused in a crime registered at Rajpura City Police Station in Punjab. The offences alleged against the accused in the said crime are under Sections 65, 66, 66A, C and D of the Information Technology Act and Sections 419 and 420 of the IPC. Earlier the sister and brother-in-law of the 1st accused had moved application for anticipatory bail before the High Court of Kerala and they had been granted.
The bail application is filed stating that the Petitioners apprehended arrest within the territorial jurisdiction of the High Court of Kerala. The applications are opposed by the Additional Advocate General of the High Court of Punjab on the ground that the High Court of Kerala did not have jurisdiction to have entertain the application, as the alleged offences were committed within the jurisdiction of the High Court of Punjab. The learned Single Judge after a detailed consideration of the precedents on the point concurred with the earlier judgments of the Kerala High Court, wherein it was held that the High Court within the territorial jurisdiction of which a person apprehends arrest is also entitled to grant anticipatory bail. The learned Single Judge further held that the warrant issued under Section 73 of the Code of Criminal Procedure, by the Magistrate Court at Rajpura for procuring the presence of the accused before the Investigating Officer for aiding the investigation, is not proper. It was held that though a warrant can be issued by the Magistrate Court under Section 73, during the course of investigation also, such warrant shall be issued only for procuring a presence of the person before the Court and not before the Investigating Officer or Police, for aiding investigation. On facts, learned Single Judge found that the 1st accused, who is employed at Singapore cannot contend that he apprehends imminent arrest within the territorial jurisdiction of the High Court of Kerala and hence the application filed by the 1st accused is dismissed. As far as the 6th accused is concerned, the learned Single Judge found that she is entitled that there are only vague allegations against her and being a permanent resident at Kochi, who apprehends imminent arrest, the 6th accused is entitled for anticipatory bail; As reported in Indian express A womans ex-husband was arrested on charges of creating her fake ID on Facebook, using offensive language on the social networking site for defaming her and for personation, criminal intimidation and defamation. Police today said that the accused HemantChowdhary was arrested on Monday under Sections 66-A (sending offensive or false messages through communication service), 66-D (cheating by personation by using computer resource) of IT Act and Sections 500 (punishment for defamation) and 506 (criminal intimidation) of
IPC. Chowdhary was arrested after his ex-wife complained to the police and a case was registered by the Cyber Crime Cell.18 Section 66-E: Punishment for violation of privacyWhoever, intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person, shall be punished with imprisonment which may extend to three years or with fine not exceeding two lakh rupees, or with both Explanation.- For the purposes of this section-a. Transmit means to electronically send a visual image with the intent that it be viewed by a person or persons; b. Capture, with respect to an image, means to videotape, photograph, film or record by any means; c. Private area means the naked or undergarment clad genitals, pubic area, buttocks or female breast; d. Publishes means reproduction in the printed or electronic form and making it available for public; e. Under circumstances violating privacy means circumstances in which a person can have a reasonable expectation that(i) He or she could disrobe in privacy, without being concerned that an image of his private area was being captured; or (ii) Any part of his or her private area would not be visible to the public, regardless of whether that person is in a public or private place.19 Privacy is one of the most contentious legal issues arising in Cyberspace. Just as in the actual word, privacy is of extreme importance to not only an individual netizen but also corporations and Governments. For the present, privacy of the individual netizens has acquired critical relevance. There is no comprehensive legislation on privacy in our country. We do not even have a specific law on privacy like a lot of other countries. As such it has been left to the judicially to interpret
privacy within existing legislations. The right to privacy has been held by the Honble Supreme Court of India as an integral part of the fundamental right to life under article 21 of The Constitution of India. In addition, in todays scenario, a lot of websites collect information of net surfers which is often not protected but is sold for commercial considerations to other companies. In other cases, the servers of websites containing valuable information of consumers are hacked into and the said information is stolen for the purpose of valuable consideration. The stolen information is then invariably sold to different companies who then send unsolicited emails to the email addresses of different persons. All these varied endeavours are a grave violation of individual privacy. Cyberlaw has to tackle with this ticklish issue. I would suggest that individual netizens should be given the liberty to move court in India for monetary damages for violation of their individual privacy. However unfortunately, in India, awareness about privacy is at a very low level in the actual world, leave aside Cyberspace. It is important that the government should legislate about privacy in Cyberspace. Websites must be mandated to follow strict guidelines on various issues concerning individual privacy. Websites must give a crystal clear notice to the netizen that they are collecting information, what is the kind of information being collected and for what purpose as also how the collected information about the netizen would be utilized. Netizens should also be given a choice to state as to whether the information being collected about them should be used for any other purpose except for fulfilling the transaction for which the information is being collected. For example, when I am buying music online, the website would ask different kinds of information about me and my tastes. In such a scenario, I should be given the choice to decide whether the information I give about myself to the website before buying music on the same, should be used for any other purpose by the said website except for the purpose of completing the transaction of selling music online to me. Cyberlaw should also give the facilities of reasonable access to the netizen. Once a person gives his information on the websites he must have the right to access the said information collected on him by the website and in addition, he should also have a reasonable opportunities to make any corrections of the said information or of any errors as also the choice of deleting any or the entire data of
information on him collected by the said website. It is also essential for all web sites, portals and companies to ensure that the collected information relating to netizens should be properly handled to rule out unauthorised access of the same or its theft. The Supreme Court declined to entertain a PIL by law teacher Prof S N Singh, who had sought directions to the Centre to act against internet service providers for allegedly breaching right to privacy of internet users through unauthorized sharing of their personal data with US intelligence agencies. The PIL came to be filed in the apex court amid reports of US cyber intelligence units snooping on secret data worldwide. Prof Singh, had requested the court to direct the Union government to take urgent steps to protect its official data stored on the internet and also the privacy of millions of Indians holding accounts with social networking sites. Singh said thousands of government offices and lakhs of government officials used free accounts on Google, Yahoo and Hotmail to send mails and feared that these provided easy access to external agencies to snoop or hack through the database. He argued that right to privacy was held to be intrinsic to every citizens fundamental right to life. But a bench of Justices A K Patnaik and RanjanGogoi said right from the inception, the apex court had consistently held that one could approach the Supreme Court directly with a writ petition on alleged violation of his/her fundamental rights only when the state was the violator of the fundamental right. The bench said internet users had entered into an agreement with internet service providers which barred sharing of personal data without prior consent and the petitioners case was that the service providers had breached that agreement. The court said it was a case of breach of private contract allegedly leading to violation of right to privacy and, in turn, right to life. For this, the petitioner could approach the high court, which had wider power under writ jurisdiction, the bench said. Prof Singh had requested the court to direct the government to initiate action against such internet companies for breach of contract and violation of right to privacy by sharing 6.3 billion Indian data with US intelligence agencies. He also sought a ban on Indian government communications routed through US-based servers. In Sunny DhimanVs.State of Punjab20; Accused Sunny
Dhiman has filed this petition under Section 482 of the Code of Criminal Procedure, for quashing FIR no. 4 dated 19.07.2011 under Sections66E/67-AInformation Technology Act 2000 and Sections328,354,506,509of IPC registered at Police Station Punjab State Cyber Crime SAS Nagar, Punjab, District Mohali, in view of compromise effected with respondent no. 2-complainant as well as his daughter respondent no. 3 (the victim). In reply affidavits on behalf of respondents no. 2 and 3, compromise has been admitted and it has been stated that respondents no. 2 and 3 have no objection if the impugned FIR is quashed. Counsel for respondents no. 2 and 3 also states that in view of compromise, respondents no. 2 and 3 have no objection to the quashing of the FIR. Court held In appropriate cases, FIR can be quashed on the basis of compromise by exercising power under Section482Cr. P . C., even if the offences are not compoundable. It was so held by Full Bench of this Court in the case of Kulwinder Singh Vs. State of Punjab.21 In the instant case, counsel for respondents no. 2 and 3 states that although offences involved are of serious nature, yet respondents no. 2 and 3 have entered into compromise with the petitioner keeping in view future life of respondent no. 3 who is unmarried girl. Ordinarily FIR involving such offences as in the instant case, would not be quashed even on the basis of compromise. However, in the instant case, future life of respondent no. 3 unmarried girl including her marriage prospects may be adversely effected if the FIR is not quashed. It is apparent that keeping in view this circumstance, respondents no. 2 and 3 have entered into compromise. The petitioner has already remained in custody since 22.08.2011 till today i.e. for almost four months. Keeping in view the peculiar facts and circumstances, it would be in the interest of justice to quash the impugned FIR. Who is the competent authority to try offences under Chapter XI of the I.T. Act? In Shiva Jatan Thakur (Dr.) Vs. Union of India &Ors.22; court elaborately discussed the jurisdiction aspect of the Information Technology Act. With the help of this petition, made under Section482of the Code of Criminal Procedure, read with Article227of the Constitution of India, the petitioner, who is accused in G.R.
Case No. 135/2011, arising out at Dimapur East Police Station Case No. 73/2011, under Section500/506/507/509IPC, read with Section 66A/66E/67A of the Information Technology Act, 2000 (hereinafter referred to as the I.T. Act), has sought to get aside and quashed the First Information Report, which has given rise to the case aforementioned, and the Charge-Sheet, which has been submitted on completion of investigation into the case. Making this Court traverse through various provisions of the I.T. Act, accused contends that Section81of the Act makes it clear that the I.T. Act has been given overriding effect over other penal enactments including the Code of Criminal Procedure. Taking a queue from Section81, that the I. T. Act has an overriding effect, as indicated hereinbefore, refers to Section46of the I. T. Act to show that the power to try an offence, under the I. T. Act, rests with the adjudicatory authorities mentioned in Chapter IX of the I.T. Act. While considering the above submission, made on behalf of the accused-petitioner, it needs to be noted that Chapter IX runs under the heading, Penalties, Compensation and Adjudication. Sections43,43A,44,45,46and47, contained in Chapter IX, embody a scheme for adjudication of various disputes/controversies, which may arise, leading to compensation, penalty, award, etc., for the damage, which may be sustained. Chapter IX does not set any condition precedent for attracting the provisions of Chapter IX, which embodies various offences, which the I. T. Act creates. The question, therefore, which falls for determination is: Who is the competent authority to try offences under Chapter XI of the I.T. Act? Court observed There can be no dispute that the I.T. Act is a special Act and, in terms of the provisions of Section4of the Code of Criminal Procedure, read with Section81of the I.T. Act, the offences, under the I.T. Act shall be investigated, inquired into, tried and, otherwise, dealt with according to the provisions contained in the Code of Criminal Procedure, subject to, however, any provision (s), which may be contained in the I.T. Act, indicating otherwise. The First Schedule to the Code of Criminal Procedure divides the entire Code into two parts, viz., Part-I and Part-II. Part-I deals with offences under the Indian Penal Code and specifies as to whether a given offence is cognizable or non-cognizable, boilable or non-boilable, and who is competent to try the offence, whether a Magistrate or a Court of Session.
Part-II deals with other laws, which obviously, means and includes special penal acts, such as, the I.T. Act. Part-II classifies the offences into cognizable, non-cognizable, boilable and non-boilable, depending, substantially, upon the length of imprisonment prescribed for a given offence. Even the question as to who can try an offence, under a special law, is answered by Part-II on the basis of the length of imprisonment prescribed. For instance, if an offence is punishable with imprisonment for less than three years or with fine only, such an offence is noncognizable, boilable and triable by any Magistrate; whereas, if an offence is punishable with imprisonment for three years and upwards but not more than seven years, then, the offence is cognizable, nonboilable and is triable by a Magistrate of First Class and, if an offence is punishable with death, imprisonment for life, or imprisonment for more than seven years, the offence is cognizable, non-boilable and is triable by a Court of Session. Admittedly, the I.T. Act does not specify as to who would or which Court would try the offences, which the I.T. Act has created. A cross-examination of the offences, which have been created in Chapter IV of the I. T. Act, shows that the offences are punishable either by imprisonment up to three years or with fine, or with both, but some of the offences are punishable by imprisonment of seven years and even imprisonment for life. Considering the fact that the offences, which have been mentioned under Chapter XI, are all punishable with imprisonment for three years and above, there can be no escape from the conclusion that all these offences are cognizable offences and, being cognizable offences, the police is competent to register the offences and investigate the same, the only limitation being that a police officer in order to be competent to investigate the case, must be of the rank of, at least, an Inspector. Assailing the legality of the investigation and also the filing of the Charge-Sheet, accused has also referred to Section80of the I.T. Act to contend that unless an officer is empowered by the Central Government or the State Government, as the case may be, he is not competent to investigate an offence under the I.T. Act. For the purpose of correctly appreciating the submissions, so made, let me reproduce sub-section (1) of Section80of the I. T. Act, From a bare reading of Section80(1), it becomes clear that a police officer, not below the rank of Inspector, is empowered to in-
vestigate an offence under the I. T. Act. Such empowerment, which Section80(1)envisages, is required in respect of an officer other than a police officer of the rank of Inspector. It is, therefore, impossible to agree with accused that unless a police officer is specially empowered by the Central Government or the State Government, as the case may be, he is not competent to investigate an offence under the I. T. Act. As already indicated hereinbefore, every police officer, not below the rank of Inspector, is competent, in the light of the provisions of Section 80 to investigate an offence created under the I T. Act. In the present case, since the petitioner has sought for quashing of the FIR as well as the Charge-Sheet, it needs to be pointed out that as far as the law, with regard to quashing of FIR is concerned, it is no longer res integral. It is also clear that if the contents of the FIR/complaint constitute offence, such a complaint cannot be quashed. It is clear from a close reading of the principles laid down in the case of R P . Kapoor and Bhajanlal that broadly speaking, quashing of a First Information Report or a complaint is possible, (a) when the allegations made in the First Information Report or the complaint even if taken at their face value and accepted in their entirely as true, do not prima facie constitute any offence or make out a case against the accused; (b) when the uncontroverted allegations made in the FIR or complaint and evidence collected in support of the same do not disclose the commission of any offence and/or make out a case against the accused; and (c) when the allegations made in the FIR or complaint are so absurd and inherently improbable that on the basis of such absurd and inherently improbable allegations, no prudent person can ever reach a just conclusion that there is sufficient ground for proceeding against the accused. In other words, when the allegations made in a complaint disclose commission of an offence, such a complaint cannot be quashed by relying upon some other materials on which will depend the defense of the accused, for, in such cases, truthfulness or otherwise of the allegations contained in the complaint or the probability of the defense plea can be determined only by effective investigation or at the trial. In the light of the law as regards quashing of FIR, I, now, turn to the contents of the present FIR and determine if the FIR is sustainable in law.
When the contents of the FIR are read as a whole, it clearly emerges that the facts alleged therein constitutes offences not only under the Indian Penal Code, but also under the I.T. Act. The present one is not a case, where the facts, as alleged in the FIR, do not disclose commission of any offence if the same are assumed to be true. Further-more, being covered by Part-II of the First Schedule of the Code, the offences are, as already indicated above, triable in accordance with the classification made under Part-II of the First Schedule of the Code of Criminal Procedure. In such circumstances the question of quashing of the FIR does not arise. As far as the issue of quashing of the present Charge-Sheet is concerned, no infirmity, in the investigation, could be pointed out, which would have impelled this Court to quash the ChargeSheet. In fact, the Charge-Sheet has been sought to get quashed on the ground, as indicated above, that the procedure, prescribed in Chapter-IX, has not been followed. In this regard, suffice it to point out that this Court has already indicated above that recourse to Chapter IX is not a precondition for registration of an offence by the police or for investigation thereof leading to trial of the accused. Situated thus, it becomes clear that the present application has no substance and must, necessarily, fail. In the result and for the foregoing reasons, this Criminal petition fails and the same shall accordingly stand dismissed. Section 66-F: Punishment for cyber terrorism - (1) whoever,(A) With intent to threaten the unity, integrity, security or sovereignty of India or to strike terror in the people or any section of the people by (i) Denying or cause the denial of access to any person authorised to access computer resource; or (ii) Attempting to penetrate or access a computer resource without authorisation or exceeding authorised access; or (iii) Introducing or causing to introduce any Computer Contaminant, and by means of such conduct causes or is likely to cause death or injuries to persons or damage to or destruction of property or disrupts or knowing that it is likely to cause damage or disruption of
supplies or services essential to the life of the community or adversely affect the critical information infrastructure specified under section 70, or (B) knowingly or intentionally penetrates or accesses a computer resource without authorisation or exceeding authorised access, and by means of such conduct obtains access to information, data or computer database that is restricted for reasons of the security of the State or foreign relations; or any restricted information, data or computer database, with reasons to believe that such information, data or computer database so obtained may be used to cause or likely to cause injury to the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence, or to the advantage of any foreign nation, group of individuals or otherwise, commits the offence of cyber terrorism. (2) Whoever commits or conspires to commit cyber terrorism shall be punishable with imprisonment which may extend to imprisonment for life.23 After the 26/11 attack, the Indian government had brought into effect a set of proposed amendments to the Information Technology Act 2000, which has specific provisions for combating cyber terrorism. The provision under section 66F discusses about cyber terrorism inthe broadest sense. This provision actually lays down the punishment to be meted out for actors of cyber terrorism. The definition of the term cyber terrorism is glaringly missing in this provision. Tostrengthenthelawoncyberterrorism,theIndiangovernmenthadfurther proposed a set of Rules in 2011, which promises to tighten the loose loops. In the wake of recent Mumbai terrorist strike, cyber terrorism has been defined as an offence in newly inserted section 66F in proposed amendment to the IT Act one who causes denial of access to computer resources, or has unauthorized access to a computer resource, or introduces a virus, with the intent to threaten the unity, integrity, security or sovereignty of India or to strike terror in any section of the people is deemed to be committing cyber terrorism.
If a person has unauthorized access to a computer resource with the intent to breach the security of the state, its sovereignty and integrity, and friendly relations with foreign states, then also he is deemed to be committing cyber terrorism. Further, Sections 69 and 69A of the amended Act empower the state to issue directions for interception, monitoring, decryption of any information through any computer resource; and for blocking websites in the interest of national security, and friendly relations with foreign states. Further, Section 69B empowers the government to authorize to monitor, collect traffic data or information through any computer resource for cyber security. Thus, the wordings of Section 66 F suggests that the use of the internet in an ancillary role in furtherance of terrorism (ancillary cyber activities) for example;terrorist use of information technology to formulate plans, spread propaganda, support terrorist recruiting, raise funds, and communicate is not regarded as cyber terrorism. It is only when the destructive nature of the act itself is carried out via computers or other cyber/electronic means through techniques such as infected e-mail attachments. Delivery of the terrorists message via the Internet does not constitute cyber terrorism. The government can at most watch the use of Computer resource or IT communication resources by the terrorists. Thus, the IT Act needs to be made more stringent to incorporate even ancillary cyber activities to further terrorism as an act of cyber terrorism and thus, the wordings of Section 66F be suitably drafted. From this section, it could be inferred that, cyber terrorism is anact of hacking, blocking and /or computer contaminating in order to restrict legallyauthorized persons to access computer resources in general, and /or to gain orobtain unauthorized access to any information which is a restricted informationfor the purpose of security of the state, or foreign relation etc. These are gruesomeacts which is done with an intention to threaten the security, sovereignty andintegrity of India or strike terror in the minds of people or a section of people; andwhich may result in death and injury to people, damage to properties, disruption ofcivil services which are essential to the life of a community, and also affects thecritical information infrastructure. However, in the case of 26/11 Mumbai attacks,it could be seen that terrorists had used communicationservicesnottohackorblocktheprotectedinformation,buttoaidetheterroriststocarryonwiththemassacre.
However, when looked at the communication in total, it could be seen thatthis speech was carried on to disrupt the peace, security and sovereignty of Indiaand thereby it looses its nature of a protected speech under Art 19A of theConstitution of India. At the same time, it is an act of terrorism. In the definitionprovided by section 66F, this particular aspect is glaringly absent. The InformationTechnology Act, 2000 (amended in 2008)had painstakingly taken efforts to secure protected systems, which isdefined bySection 70.The appropriateGovernmentmay, bynotification inthe OfficialGazette, declareany computerresourcewhichdirectlyorindirectlyaffectsthefacilityofCriticalInformationInfrastructure, to be a protected system. Explanation added to this section furtherexplains that Critical Information Infrastructure would mean that vital computer resource regarding national security, economy, public health and safety, which ifdestructed or damaged, shall have adebilitating impact on these issues. Section 67: Punishment for publishing or transmitting obscene material in electronic form- Whoever publishes or transmits or causes to be published or transmitted in the electronic form, any material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to deprave and corrupt persons who are likely, having regard to all relevant circumstances, to read, see or hear the matter contained or embodied in it, shall be punished on first conviction with imprisonment of either description for a term which may extend to three years and with fine which may extend to five lakh rupees and in the event of a second or subsequent conviction with imprisonment of either description for a term which may extend to five years and also with fine which may extend to ten lakh rupees. Section 67 deals with publishing or transmitting obscene material in electronic form. The earlier Section in ITA was later widened as per ITAA 2008 in which child pornography and retention of records by intermediaries were all included. Publishing or transmitting obscene material in electronic form is dealt with here. Whoever publishes or transmits any material which is lascivious or appeals to the prurient interest or if its effect
is such as to tend to deprave and corrupt persons who are likely to read the matter contained in it, shall be punished with first conviction for a term upto three years and fine of five lakh rupees and in second conviction for a term of five years and fine of ten lakh rupees or both. This Section is of historical importance since the landmark judgement in what is considered to be the first ever conviction under I.T. Act 2000 in India, was obtained in this Section in the famous case State of Tamil Nadu vs SuhasKatti on 5 November 2004. The strength of the Section and the reliability of electronic evidences were proved by the prosecution and conviction was brought about in this case, involving sending obscene message in the name of a married women amounting to cyber stalking, email spoofing and the criminal activity stated in this Section. Watching pornography no offence: IPC and IT Act: Consumption of pornography is no offence. All that the law forbids is its publication or transmission. Even if one smart phone had contained porn clips, is frowned upon by neither the Victorianvintage Indian Penal Code (IPC) nor the 21st Century legislation on Information Technology (IT). Both laws, separated by over 130 years, are unsparing towards the producer or supplier of obscene material. But when it comes to the consumer, neither law offers any scope to the police to make out even the lesser charge of abetting the alleged crime of obscenity. The IT Act does, however, make the end user liable if it can be shown that he had more than just consumed pornography. The consumer would fall foul of the IT Act if he had shared the video with others. The three provisions relating to pornography forbid not just publishing but also transmitting. Section 67 of the IT Act imposes a penalty of imprisonment up to three years for publishing or transmitting obscene material in electronic form. Section 67A prescribes imprisonment up to five years for the same offence if the material in question contains sexually explicit act or conduct. The penalty under Section 67B too goes up to five years as this provision deals with the aggravated offence of child pornography. The consumer would be vulnerable to one or the other of these pornography related provisions even if he had shared the video only within his circle of friends. The very act of transmitting constitutes the offence. Thus, the consumer is safe so long as he is content
receiving or downloading pornographic material. Besides shunning the temptation of sharing salacious videos, the consumer should be wary of misusing his mobile to invade somebodys privacy. Section 66E, one of the amendments made to the IT Act in 2008, introduced punishment up to three years for whoever intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person. The rules notified under the IT Act last month make it clear that pornography can be safely consumed from ones home or from ones personal devices. But cyber cafes are required to block pornographic sites, evidently because of the danger of children gaining access to them. In Abdul Hamid and Another Vs. C.B.I.24; court decided that circumstances of this case invokes the application of section 67 of IT Act, 2000. The prayer in this petition is to grant regular bail to the Petitioners in case registered under Section 67 of the Information Technology Act, 2000, etc., A FIR was registered at Police Station ShaheedGunj Srinagar, under Section67of the Information Technology Act, 2000, inter alia, alleging that a boy handed over a compact disc to a fruit vendor which contained pornographic material including photographs of a girl of the locality. The fruit vendor allegedly handed over the CD to SamajSudhar Committee which, in turn, handed it over to the police, resulting into registration of the FIR by the police at Srinagar. The girl appearing in the CD was identified as W-1 and based upon her statement before the J&K police, it was allegedly revealed that Petitioner No. 2 i.e. Sabeena was running a `prostitution ring involving several girls including W-1 and various influential politicians, bureaucrats, senior police officers etc. were involved in the said sex racket. The issue having been sensitized by the Media, J&K High Court Bar Association filed a Public Interest Litigation and pursuant to the direction issued therein by the J&K High Court, statements of some witnesses were recorded in the presence of the District & Sessions Judge, Srinagar. Thereafter, vide notification dated 9.5.2006, the investigation of the case was entrusted to the CBI which registered the present
FIR. On a separate petition filed before the Honble Supreme Court, the trial of the case has been transferred to the Court of learned District & Sessions Judge, Chandigarh. As noticed above, Petitioner No. 2 was accused of running a `prostitution racket and various `influential persons were allegedly her customers. Petitioner No. 1, who is husband of Petitioner No. 2, allegedly helped and conspired with his wife in running the said racket. Court came up with the view, that though it is not desirable or expedient for this Court to express any views in relation to the merits of the case, more so when the formal trial proceedings have started, however, it appears from the material on record that the girls allegedly involved by Petitioner No. 2 in the prostitution business were major. There is, however, no dispute that pursuant to the time bound directions issued by this Court on February 28, 2007, the statement of the alleged minor girl has already been recorded and she has been cross-examined at length. It is informed that she has also been sent back to J&K State. While granting bail to the Petitioners co-accused, this Court took specific notice of the fact that an individual should not be deprived of his liberty even before his conviction and sentence and that there was nothing to suggest as to what purpose, or what part of the collective conscience of society would be assuaged by incarcerating the Petitioners any further. There is hardly any denial to the fact that despite its earnest efforts, to expedite the trial proceedings and having regard to the total witnesses to be examined and the voluminous records, the learned trial Court is likely to take considerably long period to conclude the trial. The Petitioners, as it appears, do not belong to the influential class of society. In these circumstances and for the reasons aforestated, this petition is allowed. The Petitioners are directed to be released on bail subject to their furnishing bail bonds to the satisfaction of the trial Court. Abhijith R. Prasad Vs. State of Kerala Represented and The Circle Inspector of Police25 The petition is for anticipatory bail. The offence alleged is under Section67of the Information Technology Act. According to prosecution, petitioner morphed certain photographs of some women
to make them appear to be nude using his computer. When the de facto complainant went to the petitioners house, he happened to see the morphed photographs in the computer, while the petitioner was operating his computer. Hence, he made a complaint and case was registered under Section67of the Information Technology Act. The petitioner submitted that the petitioner was aged only 16 years at the time of alleged offence. He is a student. He had learned a software Photo shop and he along with his friends edited the photos using the software photo shop. But none of those photographs were published or transmitted or caused to be published in internet. Section67of the IT Act reveals that publication is an offence. The petitioner, later on realising that he should not have done the act, deleted the edited photographs. The hard disk of the computer was given to a neighbour, when he demanded the same. The de facto complainant is an enemy of petitioners father on political issues. The de facto complainant never visits petitioners house because of the enmity with the petitioners father and it is not correct to say that de facto complainant had seen any photographs in the computer of the petitioner. The case is foisted against the petitioner only to wreck vengeance against the petitioners father, it is submitted. Learned Public Prosecutor submitted that the petitioner appeared before the Investigating Officer and he was interrogated. His statement was also recorded. Recovery of the relevant materials are already effected. It is also conceded that de facto complainant and the petitioners father are on inimical terms with each other. It is also pointed out by learned Public Prosecutor that the only offence alleged against the petitioner is under Section 67 of the Information Technology Act and on first conviction, the punishment is only upto 3 years and also fine. It is further pointed out that as per Section 77B of the said Act, the offence punishable upto 3 years is only bailable. Court held that the petitioner has a strong and arguable case in respect of involvement of offence under Section67of Information Technology Act. Considering the various facts and circumstances, including the fact that recovery is already effected, court find that anticipatory bail can be granted to the petitioner on conditions. Bazee.com case CEO of Bazee.com was arrested in December 2004 because a CD with objectionable material was being sold on the website. The
CD was also being sold in the markets in Delhi. The Mumbai city police and the Delhi Police got into action. The CEO was later released on bail. This opened up the question as to what kind of distinction do we draw between Internet Service Provider and Content Provider. The burden rests on the accused that he was the Service Provider and not the Content Provider. It also raises a lot of issues regarding how the police should handle the cyber crime cases and a lot of education is required Rajiv Dinesh Gadkari through P .A. DepamalaGadkar26 iVs. Smt. Nilangi Rajiv Gadkari This resent appeal is directed against the judgment and order dated 23rd January, 2009, passed by the learned Judge of the Family Court No. 6 at Bandra, Mumbai, by which the learned trial Judge has allowed the petition filed by the respondent herein and the marriage between the appellant and the respondent husband has been dissolved by a decree of divorce under Section13(1)(ia)of the Hindu Marriage Act, 1955. The respondent wife preferred Petition for a decree of dissolution of marriage on the ground of cruelty. The marriage of the appellant husband and the respondent wife was solemnized on 26th June, 2002 at Nasik as per Hindu Vedic Rites. After the marriage, the respondent went to U.S.A. along with the appellant. It is the case of the respondent that after reaching U.S., the appellant insisted the respondent that the respondent should change her life style and follow the American life style. He insisted her to cut her hair and compelled her to eat beef and pork and also compelled her to prepare it at home and if she refused, he used to shout at her. He showed no respect for God and Hindu deities and did not give money to her to buy Indian food. The appellant was even compelled her to have alcohol and he always criticized and scolded her as Indian and also forced her to wear short and vulgar clothes which she disliked and was compelled her to mix with boys. It is also the case of the appellant that even after the arrival of appellants mother at U.S., there was no change in the situation and she was also insisting her to change her life style as expected by the appellant. It is the case of the respondent that her husband and her mother-in-law were calling her conservative and backward and ultimately when she got an opportunity to come back to India for the purpose of appearing in M.A. Examination, she came back
to India on 5th February, 2003, she returned to India. It is her case that since she had come to India for examination, she did not bring her jewellery articles and valuables along with her. It is also the case of the respondent that when she wrote a letter to the appellant expressing her desire to dissolve the marriage and seeking his consent, the appellant refused and made false allegations including stealing of his valuables and was blaming the respondent. It is also her case that she learnt that the appellant was medically unfit on the basis of ECG scan of his brain and this fact was concealed from her at the time of marriage. It is also her case that lastly she had received a letter from the appellant seeking divorce by consent but still he continued to harass her by uploading the vulgar photographs, text image on the website and had accordingly defamed her for which she filed a defamation complaint under Cyber Crime and the offence is already registered against the appellant. The respondent wife accordingly filed the said petition on the aforesaid grounds. She also prayed for return of articles and prayed maintenance at the rate of Rs. 75,000/per month. The appellant, who was the respondent before the trial Court, filed written statement at and denied the allegations made in the petition. It is the case of the appellant in his written statement that the respondent had entered into marriage with the appellant with an intention to enjoy life and privileges in America and at the cost of the appellant she enjoyed American life for seven months and came back to India abruptly. It is his case in the written statement that the respondent and her family never showed any interest or inclination towards finding a feasible solution to save the marriage or solve her so called imaginary problems. It is the case of the appellant that he is well educated, hard working and soft spoken and a humble person and believe in individual freedom and mutual respect to each other. It is his case that the respondent used to consume wines and that she was not doing any household work. It is also the case of the appellant that at the time of coming to India, she had taken all her jewellerieswith her. On these and such other grounds, the petition was resisted by the appellant. The learned Judge of the Family Court framed various issues and after considering the evidence led by the wife came to the conclusion that the respondent wife has proved that the appellant
has treated her with cruelty. The respondent had given up her claim for maintenance as well as claim for jewellery and, therefore, no order regarding the same was passed. The petition was allowed by passing a decree for divorce. The aforesaid order of the Family Court is impugned in this First Appeal at the instance of the appellant husband. the appellant, submitted that the Family Court has not permitted the appellant to crossexamine the respondent wife. the Family Court has decided the case against the appellant only on the basis of the written statement of the appellant which cannot be said to be a substantive piece of evidence. Further submitted that in the proceedings before the Family Court, initially power of attorney was given by the appellant to the father of the appellant who subsequently died.further submitted that even as per evidence of the wife, even if she was asked to prepare such food, it cannot be said that she was treated with cruelty. The respondent married with the appellant with the full knowledge that she is required to settle in America and subsequently she cannot make any complaint regarding the life style which she was required to follow. During the pendency of this appeal, it was suggested by the learned Counsel for the appellant that in order to put an end to the dispute, the appellant is willing to settle the dispute by withdrawing the present appeal and accepting the decree for divorce, provided the respondent wife withdraws all criminal cases filed against the appellant by her under the Cyber Law. In this behalf it is required to be noted that the appellant has also submitted a proposal at Exh. 23 before the Family Court through his advocate, stating that the consent terms should include an undertaking of the respondent wife that she would not raise any objection and would give her consent for quashing all criminal pending proceedings. So far as the suggestion of the appellant to withdraw the cases are concerned the respondent, submitted that the respondent is not going to withdraw the criminal case under the Cyber Law as, according to the respondent, her life is spoiled by the appellant by publishing defamatory articles on the website thereby tarnishing her image in the society and her prospectus for future marriage has completely been diminished. Regarding putting the photographs of the respondent on the
website, it is averred in the written statement that the appellant can never do such vulgar things in respect of any woman. It is his case in the written statement that the respondent had taken away all her single photographs while leaving U.S. and it is possible that one of her own admirers might have put it on website. In her affidavit, she has stated that the appellant fabricated vulgar text of her profiles on different web sites and that he uploaded the photographs taken at the time of her visit to Hawaii Island which he possessed and that he used to visit these web sites frequently. In view of the above, she had to inform the web hosting companies on whose web sites vulgar profiles, text, image, photos were uploaded and as a result of which the same was pulled down by the web hosting companies. She has stated in her affidavit that on account of the websites appearing, her family members started receiving obscene calls and on making further enquiries, the family members came to know different websites and in view of the same she has filed a complaint with the Cyber Crime Investigation Cell, Mumbai and the FIR is registered on 20th September, 2003 under Section67of the Information Technology Act, 2000. It is also required to be noted that on the basis of the above, emails were sent to the respondent, copies of which are produced on record. Relying upon the above, learned Counsel for the respondent has argued that her life is now totally spoiled and she has been defamed in the society that she is a lady of easy virtue and that is why she is not willing to withdraw the criminal case. The photographs which are published on websites are produced on record. Whoever has done this act, same is extremely shocking. There are other websites publications which are produced on record, but looking to the contents of the said publication, we would not like to discuss the same in detail. But suffice it to say that the same is very disgusting and absolutely in bad taste. It is the case of the respondent that the appellant is a Computer Engineer and at his instance only these publications had been made on the websites. It is very unfortunate that a lady is required to undergo such a torture at the hands of her husband. Court held It is very unfortunate that the respondent wife is required to face such type of torture and who has done this act, has acted in a very cruel manner with the respondent and has tried to spoil the life of the respondent. Since criminal case in this regard is
pending, we would not like to express any opinion on this aspect of the matter. However, we are of the view that this is an eye opener for the parents whose daughter is going to marry with a person settled in foreign country and in such cases they are required to take appropriate care to find out the credentials of the person who has settled in other country. If matrimonial knot is tied without proper verification, it may result into serious difficulties as has happened in the present case. It is the case of the respondent wife that these websites photographs and other particulars have been given after she returned to India and her photographs have been misused by the appellant, as they were available with him at the time when she was residing with him in America. Though, as pointed out earlier, the learned Counsel for the appellant submitted that the particulars and photographs of the respondent wife might have been put on websites by some one else from the America, but as stated above, since proceedings in this behalf are pending before the competent court, we would not like to discuss the said aspect in detail. Be that as it may, considering the facts and circumstances and considering the evidence on record produced by the respondent wife, in our view, the respondent can be said to have made out her case of cruelty and, therefore, this is not a case in which this Court would like to interfere with the order of the Family Court. As pointed out earlier, the counsel for the appellant has fairly submitted that the appellant is not going to come to India to give evidence but his mother may give evidence on his behalf. Considering the said aspect, in our view, no interference is called for so far as the order passed by the Family Court regarding granting decree for divorce is concerned. Court did not find any substance in the appeal. The appeal is accordingly dismissed. Before parting with this order, we may clarify that our observations in this matter are to be treated only in connection with the present appeal and it will have no bearing in any other proceedings pending before the criminal Court in connection with cyber law. Similarity of section 67 IT act 2000 and section 292 IPC In MaqboolFida Husain Vs. Raj Kumar Pandey27; Court held that Section292IPC was enacted by the Obscene Publications
Act to give effect to Article I of the International Convention for suppression of or traffic in obscene publications to which India is a signatory. By Act 36 of 1969, Section292was amended to give more precise meaning to the word obscene as used in the section in addition to creating an exception for publication of matter which is proved to be justified as being for the public good, being in the interest of science, literature, art or learning or other objects of general concern. Prior to its amendment, Section 292 contained no definition of obscenity. The amendment also literally does not provide for a definition of obscenity inasmuch as it introduces a deeming provision. On a bare reading of Sub-section (1) of Section292it is obvious that a book etc. shall be deemed to be obscene (i) if it is lascivious; (ii) it appeals to the prurient interest, and (iii) it tends to deprave and corrupt persons who are likely to read, see or hear the matter alleged to be obscene. It is only once the impugned matter is found to be obscene that the question of whether the impugned matter falls within any of the exceptions contained in the section would arise. Section67of the Information Technology Act, 2000 relevant for the subject under discussion reads as follows: Publishing of information which is obscene in electronic form.--Whoever publishes or transmits or causes to be published in the electronic form, any material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to deprave and corrupt persons who are likely, having regard to all relevant circumstances, to read, see or hear the matter contained or embodied in it, shall be punished on first conviction with imprisonment of either description for a term which may extend to five years and with fine which may extend to one lakh rupees and in the event of a second or subsequent conviction with imprisonment of either description for a term which may extend to ten years and also with fine which may extend to two lakh rupees. Thus Section67is the first statutory provisions dealing with obscenity on the Internet. It must be noted that the both under the Indian Penal Code, 1860 and the Information Technology Act, 2000 the test to determine obscenity is similar. Therefore, it is necessary to understand the broad parameters of the law laid down by the courts in India, in order to determine obscenity.
Section 67-B: Punishment for publishing or transmitting of material depicting children in sexually explicit act, etc. in electronic form-Whoever,a. Publishes or transmits or causes to be published or transmitted material in any electronic form which depicts children engaged in sexually explicit act or conduct; or b. creates text or digital images, collects, seeks, browses, downloads, advertises, promotes, exchanges or distributes material in any electronic form depicting children in obscene or indecent or sexually explicit manner; or c. Cultivates, entices or induces children to online relationship with one or more children for and on sexually explicit act or in a manner that may offend a reasonable adult on the computer resource; or d. Facilitates abusing children online; or e. Records in any electronic form own abuse or that of others pertaining to sexually explicit act with children, shall be punished on first conviction with imprisonment of either description for a term which may extend to five years and with a fine which may extend to ten lakh rupees and in the event of second or subsequent conviction with imprisonment of either description for a term which may extend to seven years and also with fine which may extend to ten lakh rupees: Provided that the provisions of section 67, section 67-A and this section does not extend to any book, pamphlet, paper, writing, drawing, painting, representation or figure in electronic formi. The publication of which is proved to be justified as being for the public good on the ground that such book, pamphlet, paper writing, drawing, painting, representation or figure is in the interest of science, literature, art or learning or other objects of general concern; or ii. Which is kept or used for bonafide heritage or religious purposes.
Explanation: For the purposes of this section, children means a person who has not completed the age of 18 years.28 Child Pornography has been exclusively dealt with under Section 67B. Depicting children engaged in sexually explicit act, creating text or digital images or advertising or promoting such material depicting children in obscene or indecent manner etc or facilitating abusing children online or inducing children to online relationship with one or more children etc come under this Section. Children means persons who have not completed 18 years of age, for the purpose of this Section. Punishment for the first conviction is imprisonment for a maximum of five years and fine of ten lakh rupees and in the event of subsequent conviction with imprisonment of seven years and fine of ten lakh rupees. Bonafide heritage material being printed or distributed for the purpose of education or literature etc. are specifically excluded from the coverage of this Section, to ensure that printing and distribution of ancient epics or heritage material or pure academic books on education and medicine are not unduly affected. Screening videographs and photographs of illegal activities through Internet all come under this category, making pornographic video or MMS clippings or distributing such clippings through mobile or other forms of communication through the Internet fall under this category. In February 2009, theParliament of India passed theInformation Technology Billwhich made creation and transmission of child pornography illegal. The newly passed Information Technology Bill is set to make it illegal to not only create and transmit child pornography in any electronic form, but even to browse it. The punishment for a first offence of publishing, creating, exchanging, downloading or browsing any electronic depiction of children in obscene or indecent or sexually explicit manner can attract five years in jail and a fine of Rs 10 lakh. Section 67-C: Preservation and Retention of information by intermediaries - (1) Intermediary shall preserve and retain such information as may be specified for such duration and in such manner and format as the Central Government may prescribe. (2) Any intermediary who intentionally or knowingly
contravenes the provisions of sub section (1) shall be punished with an imprisonment for a term which may extend to three years and shall also be liable to fine.29 Section 67C fixes the responsibility to intermediaries that they shall preserve and retain such information as may be specified for such duration and in such manner as the Central Government may prescribe. Non-compliance is an offence with imprisonment up to three years or fine. Section 68: Power of Controller to give directions- (1) The Controller may, by order, direct a Certifying Authority or any employee of such Authority to take such measures or cease carrying on such activities as specified in the order if those are necessary to ensure compliance with the provisions of this Act, rules or any regulations made there under. (2) Any person who intentionally or knowingly (Inserted vide ITAA 2008) fails to comply with any order under sub-section (1) shall be guilty of an offence and shall be liable on conviction to imprisonment for a term not exceeding two years or to a fine not exceeding one lakh rupees or with both. Section 69: Powers to issue directions for interception or monitoring or decryption of any information through any computer resource-(1) Where the central Government or a State Government or any of its officer specially authorised by the Central Government or the State Government, as the case may be, in this behalf may, if satisfied that it is necessary or expedient so to do in the interest of the sovereignty or integrity of India, defense of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence, it may, subject to the provisions of sub-section (2), for reasons to be recorded in writing, by order, direct any agency of the appropriate Government to intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any information generated, transmitted, received or stored
in any computer resource. (2) The Procedure and safeguards subject to which such interception or monitoring or decryption may be carried out, shall be such as may be prescribed. (3) The subscriber or intermediary or any person in charge of the computer resource shall, when called upon by any agency which has been directed under sub section (1), extend all facilities and technical assistance to a. provide access to or secure access to the computer resource generating, transmitting, receiving or storing such information; or b. intercept, monitor, or decrypt the information, as the case may be; or c. provide information stored in computer resource. (4) The subscriber or intermediary or any person who fails to assist the agency referred to in sub-section (3) shall be punished with imprisonment for a term which may extend to seven years and shall also be liable to fine. This section provides the powers to a notified agency to order interception, monitoring or decryption of information which may be with a Cyber Cafe, a Mobile Company (including Blackberry) or even a private Company or person if the designated person can justify the requirement. The reasons could be in the interests of the security of the nation or even to preventcommission of any Cognizable offence. The word cognizable here should be interpreted as being applicable to not only ITA 2008 but also to IPC or other statutes. Under the conditions laid down in the Section, power to intercept, monitor or decrypt does exist. It would be interesting to trace the history of telephone tapping in India and the legislative provisions in our nation and compare it with the powers mentioned here. Information technology Act, 2000 and Indian Telegraph Act of 1885 Until the passage of this Section in the ITAA, phone tapping was governed by Clause 5(2) of the Indian Telegraph Act of 1885, which said that On the occurrence of any public emergency, or in the interest of the public safety, the Government may, if satisfied that it is necessary or expedient so to do in the interests of the sovereignty
and integrity of India, the security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of an offence, for reasons to be recorded in writing, by order, direct that any message or class of messages to or from any person or class of persons, or relating to any particular subject, brought for transmission by or transmitted or received by any telegraph, shall not be transmitted, or shall be intercepted or detained, or shall be disclosed to the Government making the order or an officer thereof mentioned in the order. Other sections of the act mention that the government should formulate precautions to be taken for preventing the improper interception or disclosure of messages. There have been many attempts, rather many requests, to formulate rules to govern the operation of Clause 5(2). But ever since 1885, no government has formulated any such precautions, maybe for obvious reasons to retain the spying powers for almost a century. However, this section itself mandates that the reasons for invoking the powers under this section should be recorded in writing. Further procedures and safeguards subject to which such blocking may becarried out needs to be prescribed. Any persons who fail to comply with the order of a designated agency or to provide assistance under the above section may be liable to face an imprisonment term of 7 years. Section 69-A: Power to issue directions for blocking for public access of any information through any computer resource- (1) Where the Central Government or any of its officer specially authorised by it in this behalf is satisfied that it is necessary or expedient so to do in the interest of sovereignty and integrity of India, defense of India, security of the State, friendly relations with foreign states or public order or for preventing incitement to the commission of any cognizable offence relating to above, it may subject to the provisions of sub-sections (2), for reasons to be recorded in writing, by order direct any agency of the Government or intermediary to block access by the public or cause to be blocked for access by public any information generated, transmitted, received, stored or hosted in any computer resource.
(2) The procedure and safeguards subject to which such blocking for access by the public may be carried out shall be such as may be prescribed. (3) The intermediary who fails to comply with the direction issued under sub-section (1) shall be punished with an imprisonment for a term which may extend to seven years and also be liable to fine.30 Section 26 of the India Post Office Act 1898 confers powers of interception of postal articles for the public good. According to this section, this power may be invoked On the occurrence of any public emergency, or in the interest of the public safety or tranquility. The section further clarifies that a certificate from the State or Central Government would be conclusive proof as to the existence of a public emergency or interest of public safety or tranquility. Similarly, Section 5(2) of the Telegraph Act 1885 authorizes the interception of any message: a) On the occurrence of any public emergency, or in the interest of the public safety; and b) If satisfied that it is necessary or expedient so to do in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign states or public order or for preventing incitement to the commission of an offence. Thus, the events that trigger an action of interception are the occurrence of any public emergency or in the interests of public safety. Most recently, Section 69 of the Information Technology Act 2008 contains a more expanded power of interception which may be exercised when they the authorised officers are satisfied that it is necessary or expedient to do so in the interest of: a. The sovereignty or integrity of India; b. defense of India; c. security of the State; d. friendly relations with foreign States; e. public order; f. preventing incitement to the commission of any cognizable offence relating to above; or g. for investigation of any offence. From a bare reading of these sections, there appears to be a gradual loosening of standards from the Post Office Act to the latest Information Technology Act. The Post Office Act requires the existence of a state of public
emergency or a threat to public safety and tranquility as a precursor to exercising the power of interception. This requirement is continued in the Telegraph Act with the addition of a few more conditions, such as expediency in the interests of sovereignty. Under the most recent IT Act, the requirement of a public emergency or a threat to public safety is dispensed with entirely here, the Government may intercept merely if it feels it necessary or expedient to do so. Section 69-B: Power to authorise to monitor and collect traffic data or information through any computer resource for Cyber Security-(1) The Central Government may, to enhance Cyber Security and for identification, analysis and prevention of any intrusion or spread of computer contaminant in the country, by notification in the official Gazette, authorise any agency of the Government to monitor and collect traffic data or information generated, transmitted, received or stored in any computer resource. (2) The Intermediary or any person in-charge of the Computer resource shall when called upon by the agency which has been authorised under sub-section (1), provide technical assistance and extend all facilities to such agency to enable online access or to secure and provide online access to the computer resource generating, transmitting, receiving or storing such traffic data or information. (3) The procedure and safeguards for monitoring and collecting traffic data or information, shall be such as may be prescribed. (4) Any intermediary who intentionally or knowingly contravenes the provisions of sub-section (2) shall be punished with an imprisonment for a term which may extend to three years and shall also be liable to fine. Explanation: For the purposes of this section, (i) Computer Contaminant shall have the meaning assigned to it in section 43; (ii) traffic data means any data identifying or purporting to identify any person, computer system or computer network or location to or from which the communication is or may be transmitted and includes
communications origin, destination, route, time, date, size, duration or type of underlying service or any other information.31 This section empowers the Government to monitor information with the ISPs and Mobile Service Providers (MSPs) such as the IP address, IMEI number, etc. Imprisonment for violation under this section is 3 years. The Central Government may, to enhance cyber security and for identification, analysis and prevention of intrusion or spread of computer contaminant in the country, by notification in the Official Gazette, authorize any agency of the Government to monitor and collect traffic data or information generated, transmitted, received or stored in any computer resource. The intermediary or any person in-charge or the computer resource shall provide technical assistance and extend all facilities to such agency to enable them online access or to secure and provide online access to the computer resource generating, transmitting, receiving or storing such traffic data or information. Government has passed the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 which explains the procedure and safeguards for monitoring and collecting traffic data or information. Any intermediary who intentionally or knowingly contravenes the provisions of this Act shall be punished with an imprisonment for a term which any extend tothree yearsand shall also be liable tofine. There is no doubt that the above three sections confer enormous powers to monitor, block or access personal data and could lead to privacy concerns. However, looked at from the requirements of the security agencies confronting terrorism and information wars in cyber space, one cannot deny the requirements of the security agencies. We need not take objection to the fact that the sections confer powers not only when national security interests are threatened but also when Cognizable Offences are committed. The reason is that the dividing line between Cyber Crime and Cyber Terrorism is very thin. For example, a series of Phishing Offences may actually be part of a Cyber Terrorists plan to Destabilize the economy. Hence we cannot control Cyber Terrorism or Cyber Wars without controlling Cyber Crimes. Hence the powers conferred by the sec-
tions are considered essential though the risk of abuse is very real and needs to be addressed. There would however be an obvious question about how an Intermediary or any other person would be compensated for any misuse of the powers under this section and what would be the procedure for disputing the order of the agency meant to exercise the powers under Sections 69, 69A and 69 B. We need to note that these sections dont automatically provide powers to the Police. They vest the powers with an agency to be designated. It is however possible that in the notification, Police may be designated as one of the agencies. But there is an option available to the Government to deposit the powers under these sections with a different agency other than the Police. However it would be necessary to vest some authority with the Police for collection of data such as IP address etc from Intermediaries. Hence there has to be some mechanism where the required freedom is provided to the Police without providng scope for abuse. Traffic data has been defined in the section to mean any data identifying or purporting to identify any person, computer system or computer network or any location to or from which communication is or may be transmitted. Section 70: Protected system-(1) The appropriate Government may, by notification in the Official Gazette, declare any computer resource which directly or indirectly affects the facility of Critical Information Infrastructure, to be a protected system. Explanation: For the purposes of this section, Critical Information Infrastructure means the computer resource, the incapacitation or destruction of which, shall have debilitating impact on national security, economy, public health or safety. (2) The appropriate Government may, by order in writing, authorise the persons who are authorised to access protected systems notified under sub-section (1). (3) Any person who secures access or attempts to secure access to a protected system in contravention of the provisions of this section shall be punished with imprisonment of either description for a term which may extend to ten years and shall also be liable to fine.
(4) The Central Government shall prescribe the information security practices and procedures for such protected system. According to Section 70(1) of the Information Technology Act, Critical Information Infrastructure (CII) is defined as a computer resource, the incapacitation or destruction of which, shall have debilitating impact on national security, economy, public health or safety. In one of the 2008 amendments to the IT Act, the Central Government granted itself the authority to prescribe the information security practices and procedures for such protected systems. However, these two paragraphs form the legal basis for the regulation of cyber security within the private sector. Such basis notwithstanding, private cyber security remains almost completely unregulated. According to the Intermediary Guidelines, intermediaries are required to report cyber security incidents to Indias national-level computer emergency response team (CERT-In). Other than this relatively small stipulation, the only regulation in place for CII exists at the sector level. The new guidelines for CII protection seek to reorganize the governments approach to CII. The NTRO will outline a total of eightsectors (including energy, aviation, telecom and National Stock Exchange) of CII and then monitor if they are following the guidelines. Such language, though vague and certainly unsubstantiated, suggests the NTRO may ultimately be responsible for enforcing the mandated security practices related to the design, acquisition, development, use and operation of information resources described in the Cyber Security Policy. If so, operators of systems deemed critical by the NTRO or by other authorized government agencies may soon be subject to cyber security regulation. In A. Shankar S/o. K. AchimuthuVs. State rep. by Deputy Superintendent of Police, Cyber Crime Cell Crime Branch CID32; court finds that the circumstances of the case invokes the application of the section 70 of IT Act. Respondent had registered a case in CBCID Cyber Crime Cell under Section 43 and 66 of the Information Technology Act, on the basis of the complaint lodged Principal Secretary to Government Home (SC) Department, Secretariat, Chennai. It is alleged by the prosecution that on 01.04.2008 and
02.04.2008 at the room of Legal Advisors of Directorate of Vigilance and Anti-Corruption (DVAC), Chennai the Petitioner being a Special Assistant of Confidential Section in Directorate of Vigilance and Anti-Corruption office, functioning at NCB-23 building with intent to cause damage to the office of the Directorate of Vigilance and Anti-Corruption, which has not considered his appointment to the Secretariat as Assistant Section Officer (ASO), without the permission of the owner of the computer and authorised user of the computer, having taken advantage of the absence of Legal Advisor, unauthorisedly accessed into the computer system of Legal Advisor through his pen drive named SUJATHA accessed the folder Directors back up 2 kept in the Legal Advisors computer without the permission of the owner of the information and also downloaded the some audio files and caused publication of the same in the Deccan Chronicle an English daily news paper on 14.04.2008 and also for the telecast on the same day on Makkal TV and Jaya TV at 08.00pm and 10.00pm., respectively. The Petitioner by accessing the computer system and information without the permission of the owners/authorised users copied, caused publication and thereby diminished the value of information, utility and affected it injuriously by means of securing access and downloaded the information, which was recorded and saved for the purpose of exclusive possession. It is also alleged that the Petitioner had secured access unauthorisedly to the protected system of the Legal Advisor. On the above said dates through his pen drive names SUJATHA and downloaded the information, which was created for the purpose of exclusive possession in contravention of Section 70 of Information Technology Act 2000 and hence after filing of the charge sheet on 26.12.2008, now the Petitioner for the alleged commission of offences of hacking with protected computer system and breach of confidentiality has been facing three charges under Sections 66, 72 and Section 70 of Information Technology Act 2000. The Petitioner herein has been considered to be the only person response for leakage of information and for the telecast and publication of the information. In this regard, the Petitioner has also submitted that out of three charges viz., under Sections 66, 70 and 72 of Information Technology Act 2000, the Government has accorded sanction, only for the offences under Sections 66 and 70 of the Act and in respect of Section
72, no sanction is accorded and hence sanction of prosecution itself is defective one and there may not be any difficulty to hold that the whole investigation or whole proceedings which are contemplated against the Petitioner have absolutely been vitiated. On the other hand the first Respondent has also submitted that the sanction to prosecute the Petitioner has not been specifically accorded in respect of Section 72 of the Information Technology and that the penal provision under Section 72 of the Act has also been covered by the sanction to prosecute the Petitioner accorded by the Directorate of Vigilance and Anti-Corruption on 24.12.2008. Court held that in the instant case on hand it is obvious that there is no mention in the sanction of prosecution in respect of Section 72 of Information Technology Act 2000. In so far as the question of law relating to non granting of sanction of prosecution in respect of Section 72 of Information Technology Act is concerned, the chargesheetlevelled against the Petitioner cannot be quashed on this ground alone. With regard to the question of facts are concerned, the High Court will not enter into an enquiry of disputed facts or thereafter, hold in favour of the accused. The inherent power cannot be invoked to quash the charge only on the ground of question of facts. Further the High Court has also no jurisdiction to interfere with the prosecution at the preliminary stage by prejudging the question without affording reasonable opportunity to the prosecution to substantiate the allegations. Having regard to the submissions made on either side, and on cursory perusal of the materials available on record, this Court is of firm view that, the question of sanction of prosecution can be taken during the conduct of trial or any such of the proceedings and therefore, the proceedings i.e.; the charge sheet at this stage cannot be quashed on the ground of want of sanction in respect of the Section 72 of Information Technology Act 2000. Section 70-A: National Nodal Agency-(1) The Central Government may, by notification published in the official Gazette, designate any organization of the Government as the national nodal agency in respect of Critical Information Infrastructure Protection. (2) The national nodal agency designated under subsection (1) shall be responsible for all measures includ-
ing Research and Development relating to protection of Critical Information Infrastructure. (3) The manner of performing functions and duties of the agency referred to in sub-section (1) shall be such as may be prescribed.33 The Information Technology Act, section 70 (A) says that the government has to notify an agency responsible for protecting India from such cyber attacks. With the advancement of convergent communication technologies and shared Information system in India, Critical Sectors are becoming more dependent on their Critical Information Infrastructures (CIIs). These CIIs are interconnected, interdependent, complex and distributed across various geographical locations. Various inherent threats exist to CIIs, ranging from terrorist attacks to organized crimes to espionage, malicious cyber activities, which are growing rapidly. Protection of CIIs and hence CIs of the nation is the one of the paramount concerns of the Government. To this endeavor, Government of India, has designated National Critical Information Infrastructure Protection Centre (NCIIPC) of National Technical Research Organisation (NTRO) as the nodal agency under Section 70A(1) of the Information Technology (Amendment) Act 2008 for taking all measures including associated Research and Development for the protection of CIIs in India. NCIIPC is driven by its mission To take all necessary measures to facilitate protection of Critical Information Infrastructure, from unauthorized access, modification, use, disclosure, disruption, incapacitation or destruction, through coherent coordination, synergy and raising information security awareness among all stakeholders and with a vision to facilitate safe, secure and resilient Information Infrastructure for Critical Sectors in the country. Section 70-B: Indian Computer Emergency Response Team to serve as national agency for incident response(1) The Central Government shall, by notification in the Official Gazette, appoint an agency of the government to be called the Indian Computer Emergency Response Team.
(2) The Central Government shall provide the agency referred to in sub-section (1) with a Director General and such other officers and employees as may be prescribed. (3) The salary and allowances and terms and conditions of the Director General and other officers and employees shall be such as may be prescribed. (4) The Indian Computer Emergency Response Team shall serve as the national agency for performing the following functions in the area of Cyber Security,a. collection, analysis and dissemination of information on cyber incidents; b. forecast and alerts of cyber security incidents; c. emergency measures for handling cyber security incidents; d. coordination of cyber incidents response activities; e. issue guidelines, advisories, vulnerability notes and white papers relating to information security practices, procedures, prevention, response and reporting of cyber incidents; f. such other functions relating to cyber security as may be prescribed. (5) The manner of performing functions and duties of the agency referred to in sub-section (1) shall be such as may be prescribed. (6) For carrying out the provisions of sub-section (4), the agency referred to in sub-section (1) may call for information and give direction to the service providers, intermediaries, data centers, body corporate and any other person. (7) Any service provider, intermediaries, data centers, body corporate or person who fails to provide the information called for or comply with the direction under sub-section (6), shall be punishable with imprisonment for a term which may extend to one year or with fine which may extend to one lakh rupees or with both. (8) No Court shall take cognizance of any offence under this section, except on a complaint made by an officer authorised in this behalf by the agency referred
to in sub-section (1)34 The Indian Computer Emergency Response Team, under the Department of Information Technology of Ministry of Communications and Information Technology, works to enhance the security of Indias communications and information infrastructure through proactive action and effective collaboration. Detailed information about the organisation, its functions and missions etc. is provided. The IT security policy and assurance is also available. CERT-In (the Indian Computer Emergency Response Team) is a government mandated information technology (IT) security organization. The purpose of CERT-In is to respond to computer security incidents, report on vulnerabilities and promote effective IT security practices throughout the country. CERT-In monitors Indian cyberspace and coordinates alerts and warning of imminent attacks and detection of malicious attacks among public and private cyber users and organizations in the country. It maintains 24x7 operations centre and has working relations/collaborations and contacts with CERTs, all over the world; and Sectoral CERTs, public, private, academia, Internet Service Providers and vendors of Information Technology products in the country. It would work with Government, Public & Private Sectors and Users in the country and monitors cyber incidents on continuing basis through out the extent of incident to analyse and disseminate information and guidelines as necessary. The primary constituency of CERT-In would be organizations under public and private sector domain. CERT-In was created by the Indian Department of Information Technology in 2004 and operates under the auspices of that department. According to the provisions of the Information Technology Amendment Act 2008, CERT-In is responsible for overseeing administration of the Act. CERTorganizations throughout the world are independent entities, although there may be coordinated activites among groups. The first CERT group was formed in the United States at Carnegie Mellon University. The said team shall serve as the national agency for performing the functions stated in sub section 4(a) to (f) in the area of cyber security. If any service provider intermediary, data center, body corporate or person fails to provide the information called for or comply with the direction given to it under sub-section 6, no court
shall take cognizance of any offence under this section, except on a complaint made by a officer authorized by the Indian Computer Emergency Response Team. In order to effectively secure the Indian cyber space, CERT-In is assisting the Department of Information Technology to put in place a national cyber security strategy and a national information security governance policy. The elements of national cyber security strategy are: Security legal framework and law-enforcement Security early warning and response Security compliance and assurance Security education awareness and training Security technology R&D Security information sharing and cooperation In pursuit of the cyber security strategy, CERT-In has been working towards Preventingcyber attacks against countrys critical information infrastructure; Reducing national vulnerability of cyber attacks and Minimizing damage and recovery time from cyber attacks. Specific challenges in securing the cyber space are: Reaching out to the user community in creating necessary awareness on the need for cyber security and also on the need for them to play their roles in a responsible manner Sharing of information with CERT-In with regard to the occurrence of cyber security incidents to enable better preparation and prevention. Overcoming the technical and legal barriers to move beyond our countrys borders to reach the sources of trouble - Most serious cyber crimes such as economic fraud, cyber terrorism and cyber war fare are invariably perpetrated from sources located outside the country using networks of compromised computers located both inside and outside the country. Since the sources of trouble are outside the country, invariably there would be technical and legal challenges to deal with and actually getting to the root of the problem. For this purpose, increased international cooperation is the need of the hour and CERT-In has been able establish good working relationships with international organizations such as AP CERT
& Forum of Incident response (FIRST, US) and overseas CERTs. For ensuring safety and security of cyber space, it is not only necessary to have an effective incident response mechanism such as the one already established by CERT-In, but also develop suitable ability and mechanism to harness real time information on the cyber security incidents even before they occur. In view of this, future roadmap of CERT-In includes real time incidents information collection, analysis and dissemination for effective security incidents prevention and protection. With this, it would be possible for CERT-In to provide tailored security advisories to the userscommunity in the country enabling them to take timely and effective preventive actions. Section 71: Penalty for misrepresentation- Whoever makes any misrepresentation to, or suppresses any material fact from, the Controller or the Certifying Authority for obtaining any license or Electronic Signature35 Certificate, as the case may be, shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both. Any misrepresentation while applying for a digital signature certification to the Controller or Certifying Authority has been made an offence under section 71 of the Act. Both, misrepresentation of any material fact and/or suppressing any material fact from the Controller or Certifying Authority for obtaining licence or digital signature certificate shall constitute an offence. A person while applying for a licence has to fill in the form as required by Rule 10 of the I.T. (Certifying Authorities) Rules, 2000 giving full details about himself. In case of applying for a digital signature certificate, a person is required to fill in the form prescribed by Rule 23 with complete information about himself. If any of the above information/details are misrepresented or suppressed, then the person guilty of such misrepresentation shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees or with both.
Section 72: Penalty for breach of confidentiality and privacy- Save as otherwise provided in this Act or any other law for the time being in force, any person who, in pursuance of any of the powers conferred under this Act, rules or regulations made there under, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses such electronic record, book, register, correspondence, information, document or other material to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both. Privacy as a concept involves what privacy entails and how it is to be valued. The law does not determine what privacy is, but only what situations of privacy will be afforded legal protection. It is interesting to note that the common law does not know a general right of privacy and the Indian Parliament has so far been reluctant to enact one. The meaning of the word confidentiality and privacy are somewhat synonymous. Confidentiality involves a sense of expressed or implied basis of an independent equitable principle of confidence. Privacy is the claim of individuals, groups or institutions to determine for themselves when, how and to what extent information about them is communicated to others. Right to privacy is more of an implied obligation. It is the right to let alone. In the legal parlance the issue of confidentiality comes up where an obligation of confidence arises between a data collector and a data subject. This may flow from a variety of circumstances or in relation to different types of information, which could be employment, medical or financial information. An obligation of confidence gives the data subject the right not to have his information used for other purposes or disclosed without his permission unless there are other overriding reasons in the public interest for this to happen. That is, where an information for a purpose other than that for which it was provided. Hence right is an interest recognized and protected by moral or legal rules. It is an interest, the violation of which would be a legal wrong. Respect for such interest would be a legal duty. It is the basic principle of jurisprudence that every right has a correlative duty and
every duty has a correlative right. But the rule is not absolute. It is subject to certain exceptions in the sense that a person may have a right but there may not be a correlative duty. Nevertheless, it would be prudent if the issues related to privacy and confidentiality are viewed as rights along with duties. Save as otherwise provided in this act or any other law for the time being in force, any person who, in pursuance of any of the powers conferred under this Act, rules or regulations made there under, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses such electronic record, book, register, correspondence, information, document or other material to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both. This section applies only to person who has gained access to the abovementioned information in pursuance to a power granted under Information Technology Act, its allied rules e.g. a police officer, the Controller etc. it would not apply to disclosure of personal information of a person by a website, by his email service provider etc. The aforesaid section has a limited application only. It confines itself to the acts and omissions of those persons, who have been conferred powers under this Act, Rules or Regulation made there under. Section 72 of the Act relates to any person who, in pursuance of any of the powers conferred by the Act or its allied rules and regulations has secured access to any: i) Electronic record, ii) book, iii) Register, iv) Correspondence, v) Information, vi) Document, or vii) Other material. If such person discloses such electronic record, book, register, correspondence, information, document or other material to any other person, he will be punished with imprisonment for a term, which may extend to two years, or with fine, which may extend to two years, or with fine, which may extend to one lakh rupees, or with both. This section applies only to person who has gained access to the abovementioned information in pursuance to a power granted under Information Technology Act, its allied rules e.g. a police officer, the Controller etc. it would not apply to disclosure of personal information of a person by a website, by his email service provider etc.
Section 72-A: Punishment for Disclosure of information in breach of lawful contract- Save as otherwise provided in this Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person shall be punished with imprisonment for a term which may extend to three years, or with a fine which may extend to five lakh rupees, or with both.36 From last five years it has been observed that India is playing crucial role in outsourcing business. Outsourcing has been started with call centres and later on it developed into BPO, KPO, LPO and many other outsourcings forms. Most of outsourcing companies deal with the foreign clients data i.e. third party information and hence it is necessary for these companies to deal with suchthird party information very carefully with due diligence so as to avoid misuse of such information. For that, Indian Information Technology Act, 2000 has provisions under sec.72A which was inserted by virtue of amendment made in Information Technology Act in 2008. According to the provision under sec.72A; any act which discloses information in breach of lawful contract, is an offence. Now a days these outsourcing companies deal with third party data and personal information of clients, customers etc. as they are having contractual relationship between them. We are aware of various incidents involving misuse of third party data or personal information. It mainly occurs as breach of contractual relation which would exist between said intermediary and client. To curb such incidents law provides specific provision which defines such act as a crime. While affording services under the term of their contractual relationship, these intermediaries are permitted to have secured access to clients /any other persons personal information. If alleged access has been done with intention that is likely to cause wrongful loss or gain then this section comes into picture. Further if the party
or the intermediary discloses this information to any other person in default of consent or in breach of their contractual relationship, it amounts to commit an offence Under Sec.72A Under Section 72A of the (Indian) Information Technology Act, 2000, disclosure of information, knowingly and intentionally, without the consent of the person concerned and in breach of the lawful contract has been also made punishable with imprisonment for a term extending to three years and fine extending to INR 5,00,000. Even though the intermediaries are given immunity under Section 79, they could still be held liable under Section 72A for disclosure of personal information of any person where such disclosure is without consent and is with intent to cause wrongful loss or wrongful gain or in breach of a lawful contract. As of now, the issue of data protection is generally governed by the contractual relationship between the parties, and the parties are free to enter into contracts to determine their relationship defining the terms personal data, personal sensitive data, data which may not be transferred out of or to India and mode of handling of the same. Section 72A of the IT Act imposes a penalty on any person (including an intermediary) who has obtained personal information while providing services under a lawful contract and discloses the personal information without consent of the person, with the intent to cause, or knowing it is likely to cause wrongful gain or wrongful loss; Such unauthorised disclosure to a third person is punishable with imprisonment up to three years or with fine up to Rs five lakh, or both. Difference between Section 72 and Section 72A Section 72 of the Act prescribes the punishment if any person who, in pursuance of the powers conferred under the IT Act, 2000, has secured access to any electronic record, information etc and without the consent of the person concerned discloses such information to any other person then he shall be punished with imprisonment upto two years or with fine upto one lakh or with both. Section 72A on the other hand provides the punishment for disclosure by any person, including an intermediary, in breach of lawful contract. The purview of Section 72A is wider than section
72 and extends to disclosure of personal information of a person (without consent) while providing services under a lawful contract and not merely disclosure of information obtained by virtue of powers granted under IT Act, 2000. Section 73: Penalty for publishing electronic Signature37 Certificate false in certain particulars-(1) No person shall publish a Electronic Signature38 Certificate or otherwise make it available to any other person with the knowledge that a. the Certifying Authority listed in the certificate has not issued it; or b. the subscriber listed in the certificate has not accepted it; or c. the certificate has been revoked or suspended, unless such publication is for the purpose of verifying a digital signature created prior to such suspension or revocation (2) Any person who contravenes the provisions of sub-section (1) shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both. As per this section if any person ha knowledge that the certifying authority has not issued the electronic signature certificate or the subscriber has not accepted it or that the electronic signature certificate has been suspended or revoked, even then he published the electronic signature certificate with false particulars, ha shall be punished with imprisonment for a term which may extend to two years or which may extend to one lakh rupees or both. Section 74: Publication for fraudulent purpose- Whoever knowingly creates publishes or otherwise makes available a Electronic Signature39 Certificate for any fraudulent or unlawful purpose shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both Under section 35(4) the electronic signature certificate is granted by the certifying authority. However if any person either knowingly creates, publishes or otherwise makes available a elec-
tronic signature certificate for fraudulent purpose or knowingly creates, publishes or otherwise makes available a electronic signature certificates for any unauthorized purpose he shall be liable for an offence under this act, and shall be punished under this section. Fraudulent in this section drives in the same meaning as under section 25 of IPC. Section 75: Act to apply for offence or contraventions committed outside India- (1) Subject to the provisions of sub-section (2), the provisions of this Act shall apply also to any offence or contravention committed outside India by any person irrespective of his nationality. (2) For the purposes of sub-section (1), this Act shall apply to an offence or contravention committed outside India by any person if the act or conduct constituting the offence or contravention involves a computer, computer system or computer network located in India. Section 75 of the IT Act speaks about the extraterritorial applicability of the Act. According to this Section, the provisions of the IT Act shall apply to any offence or contravention committed by any person irrespective of his nationality, provided the act or conduct constituting the offence or contravention involves a computer, computer system or computer network in India. Section 75 is framed from the angle of addressing the issue of cyber crime. The Section does not address the issue of data protection. The Sections 43A and 72A which are now introduced to protect data also does not address the territorial applicability of these provisions. Therefore, it can be safely concluded that when data is transferred outside the territories of India it gets no legal protection. The provisions purportedly for data protection juts out as an ugly patch work on the Information Technology Act and does not offer any comprehensive protection to personal data in India. In Banyan Tree Holdings Limited Vs. M. Murali Krishna Reddy and Anr.40; the question of extra territorial jurisdiction arose. The honorable court raised that this order deals with the question whether this Court can entertain and try the present suit, and whether the cause of action, or any part thereof, has arisen within the territorial jurisdiction of the court. The plaintiff prefers the present action seeking decree for permanent injunction restraining the defendants from passing off and diluting its trademark; it also
seeks a decree for rendition of accounts and damages. It is averred that the plaintiff is a publicly listed company having its registered office at Singapore, and is a part of a group that is extensively involved in the hospitality business, managing about 81 hotels, resorts and spas in various parts of the world. It is averred that the plaintiff and its sister concerns have since the year 1994 adopted and used the word mark Banyan Tree and also the banyan tree device, both of which were also used by its predecessor in interest. It is also averred that due to the extensive and continuous use of the marks in relation to its business, they have acquired secondary meaning. The plaintiff also avers that it has advertised its services and products through the print and electronic media, many of which have substantial reach and circulation in India. The plaintiff also maintainswebsites(www.banvantree.com;www.banvantreespa. com etc) since the year 1996, which are accessible in India. Due to the plaintiffs reputation and goodwill, it is submitted that the said marks have become highly distinctive and have come to be associated with the plaintiff and its sister concerns. Further, it is averred that the goodwill and reputation of the plaintiffs trademarks have spilled into India because of the large scale travel of tourists from and into India, creating awareness about the said marks, the publicity given by various magazines and journals and the online presence on the Internet. It is also submitted that plaintiff, from the year 2002 onwards, in collaboration with the Oberoi Group, operates 15 spas across India. Though the plaintiff is the registered proprietor of the marks in various countries, it does not hold any registration for the said marks in India, but has sought registration. The plaintiff avers that in October 2006 it came to know that the defendants, who are residents of Hyderabad, Andhra Pradesh, had initiated work on a project under the name Banyan Tree Retreat. It is submitted that the word mark and the device adopted by the defendants in relation to its retreat is deceptively similar to that of the plaintiff. It is averred that the defendants have advertised their project in their website www.makprojects.com/banyantree. It is alleged that such use was meant to unlawfully appropriate the reputation and goodwill of the plaintiff. It is alleged that since the defendants belong to the same trade/industry, such adoption of the plaintiffs mark is dishonest and is motivated to create deception
among the public. Therefore, the plaintiff seeks an ex parte interim injunction restraining the defendants from using its marks. It can therefore, be gleaned from the above extract that the territorial jurisdiction of this Court is sought be established on the following grounds. Firstly, that the services of the defendant are being offered to residents of Delhi and hence the cause of action has arisen within Delhi. In this regard the plaintiffs have produced brochures sent by the defendant for the purpose of sale of the property to customers in Delhi, which the plaintiff claims is evidence of the fact that the defendants carry on business within the territorial jurisdiction of the Court. Secondly, that the defendants website is accessible from anywhere in India, is interactive in nature and not passive, providing contact details, feedback and inputs. Further, the plaintiff also relies on the ubiquity, universality and the utility of the features of the defendants website on the Internet. Plaintiff drew the attention of this Court to the affidavit of one Mr. D.C. Sharma, an independent investigator deployed by the plaintiffs. In his affidavit Mr. Sharma deposed as to how using the contacts provided on the defendants websites, he contacted the Deputy Manager of the defendants and solicited information about the details of the Banyan Tree Retreat project, which was duly supplied by electronic mail. He also drew the attention of the Court to the brochures sent by the defendants to Mr. D.C. Sharma. He argued that the website of the defendants, besides providing other information, also gave contact details and included feedback forms where customers could write comments and seek information. The section, like Section62(2)of the Copyright Act, enables a plaintiff to sue the defendant in a court, within whose jurisdiction it (the plaintiff) resides or works for gain. The court has therefore to focus on whether web hosting of the kind allegedly indulged by the defendant, is sufficient to prima facie infer that a part of the cause of action arises within jurisdiction of this Court. Court held that in this case, the averments in the suit show that the plaintiff does not operate within the jurisdiction of the court; the action is not for trademark infringement. The defendants residence i.e. registered office is not in the territorial jurisdiction of the court. It does not also have any branch or other offices in Delhi. The slender thread relied on by the plaintiff is the web site of
the defendant, and the trap transaction whereby a brochure was ordered by it, from the defendant, and received in New Delhi. The web site, screen shots of which have been reproduced, reveals that the defendant has disclosed its activities; it contains web pages eliciting a feedback, and link to an E-Brochure. The defendants e-mail identification also figures in the web site; it further discloses that the defendant has banyan tree retreats in Hyderabad, at three locales. The layout plan of those retreats has been shown. However, the interactivity is confined to a feedback dialog form; the defendant does not have any application form, which can be used by a potential customer. Even the brochure produced by the plaintiff, along with the documents, mentions the booking amount as Rs. Ten lakhs, for a unit. The payment plan, which is apparently linked with the construction of the unit, has been shown, but, significantly enough, without details of amounts. An overall reading of the brochure does not enable the potential customer to know the cost of the unit which he would like to book; he would have to interact further with the defendant, as the solitary instance relied on by the plaintiff, in the affidavit, suggests. The court is of the opinion that these questions need to be considered and settled authoritatively, by a Division Bench. This is essential both to resolve the conflict in the approaches indicated by the two decisions of the court, as also decide whether assumption of such jurisdiction is feasible or justified, having regard to the existing state of law. Also, in the event the court concludes that internet based activity or behavior can in some circumstances, clothe this Court with jurisdiction, it would be appropriate to indicate standards which can be applied with some constancy. The following questions are accordingly referred for consideration of, and decision, by a Division Bench: (1) Whether this Court can entertain the present suit, having regard to the averments and documents, in the context of special provisions in to the Trademark and Copyrights Act, which do not provide for exercise of jurisdiction based on internet or web-presence of such alleged infringers, even while making explicit departure from the general law as to territorial jurisdiction; (2) Whether the court can entertain the present suit, in the absence of a long arm statute, having regard to the existing state of law, particularly Section20, CPC, and the impact, if, any of the Information Technology Act, 2000 on it;
(3) Applicable standards for entertaining a suit, based on use of a trademark by a defendant, on its web site, or infringement or passing off of the plaintiffs trademark, in such web site and the relevant criteria to entertain such suits; (4) Applicable standards and criteria where the plaintiff relies exclusively on trap orders or transactions, in relation to passing off, or trademark infringement cases, as Constituting use or cause of action, as the case may be. Section 76: Confiscation- Any computer, computer system, floppies, compact disks, tape drives or any other accessories related thereto, in respect of which any provision of this Act, rules, orders or regulations made there under has been or is being contravened, shall be liable to confiscation: Provided that where it is established to the satisfaction of the court adjudicating the confiscation that the person in whose possession, power or control of any such computer, computer system, floppies, compact disks, tape drives or any other accessories relating thereto is found is not responsible for the contravention of the provisions of this Act, rules, orders or regulations made there under, the court may, instead of making an order for confiscation of such computer, computer system, floppies, compact disks, tape drives or any other accessories related thereto, make such other order authorised by this Act against the person contravening of the provisions of this Act, rules, orders or regulations made there under as it may think fit. This section provides for the confiscation of any computer, computer system, floppies, computer disks, tape drives or any other accessories related thereto in respect of contravention of any provision of the act, rules, regulation or orders made thereunder. As per the section 28 of this act the controller shall take up for investigation any contravention of the provisions under the act, rules, and regulations. The proviso to this section provides the exception to the main provision. As per the proviso the following circumstance the court concerned shall not make any order for confiscation of the goods and will make any other order authorized by the act.
The person in whose possession the computer or computer system etc. were found was not responsible for the contravention of the provisions of the act, rules, regulations The above fact was established to the satisfaction of the court adjudicating the confiscation matter. Section 77: Compensation, penalties or confiscation not to interfere with other punishment- No compensation awarded, penalty imposed or confiscation made under this Act shall prevent the award of compensation or imposition of any other penalty or punishment under any other law for the time being in force. This section implies that the same act of a person may amount to a civil wrong and an offence under this act. Chapter IX deals with the civil wrong and has fixed the civil liability on wrong doers, whereas chapter XI deals with offences relating to computer, computer system and computer network. Thus any act of hacking will attract the section 43 as well as section 70. Section 77 of this act says that the compensation awarded, penalty imposed or confiscation made under this act shall not prevent the imposition of any other punishment under any other law. If a civil wrong is committed by a person ha can be held liable to pay penalty or compensation under section 43, 44 and 45 of this act. For the same civil wrong the offender may be given punishment under chapter XI of this act or under the IPC or any other law for the time being in force. However this section cant be said to be in conflict with the article 20(2) of the Indian constitution. In order to bring the case of a person within the ambit of article 20(2) it must be shown that he had been prosecuted before the competent court and punished by it for the same offence for which he is prosecuted again. Section 77-A: Compounding of Offences - (1) A Court of competent jurisdiction may compound offences other than offences for which the punishment for life or imprisonment for a term exceeding three years has been provided under this Act. Provided that the Court shall not compound such offence where the accused is by reason of his previous conviction, liable to either enhanced punishment or to
a punishment of a different kind. Provided further that the Court shall not compound any offence where such offence affects the socio-economic conditions of the country or has been committed against a child below the age of 18 years or a woman. (2) The person accused of an offence under this act may file an application for compounding in the court in which offence is pending for trial and the provisions of section 265-B and 265-C of Code of Criminal Procedures, 1973 shall apply.41 A court of competent jurisdiction may compound offences, other than the following: - Offences for which the punishment for life, or - Imprisonment for a term exceeding three years, It has been provided under this act. There are two exceptions to this rule. No compounding shall take place, where the accused: - Is liable to enhanced punishment by reason of his previous conviction or to a punishment of a different kind, or - Committed such offence, which affects the socio-economic conditions of the country, or - Has committed offence against a child below that age of 18 years, or - Has committed offence against women The offence punishable under the information technology act, is compoundable under this act, if the punishment is not more than three years imprisonment. Section 265B and 265C of the Cr.P .C deals with the application for plea bargaining and guidelines for mutually satisfactory disposition.This act provides that the accused may file an application for compounding in the court in which offence is pending for trial and the provisions of section 265B and 265C of Cr.P .C shall apply. Section 77-B: Offences with three years imprisonment to be cognizable- (1) Not withstanding anything contained in Criminal Procedure Code 1973, the offence punishable with imprisonment of three years and above shall be cognizable and the offence punishable with imprisonment of three years shall be bailable.42 The offence punishable with imprisonment of three years and
above shall be cognizable and the offence punishable with imprisonment of less than three years shall be bailable, and non cognizable. A police officer below the rank of inspector cannot hold the investigation in this regard. Section 78: Power to investigate offences- Notwithstanding anything contained in the Code of Criminal Procedure, 1973, a police officer not below the rank of Inspector shall investigate any offence under this Act. The non obstante clause indicates that this section may be considered as an exception to the code of criminal procedure, 1973. Before the amendment of 2008, the police officer not below the rank of deputy superintendent of police was authorized to investigate the offence under this act. However, after the amendment of 2008, this section has empowered a police officer not below the rank of inspector to investigate any office under this act. Under section 80(1), a police officer not below the rank of a inspector, or any other officer of the central government or a state government authorized by the said government may either (i) enter any public place, (ii) search , and (iii) arrest without warrant any person found therein who is reasonably (i) suspect or (ii) having committed or (iii) committing or (iv) about to commit any offence under this act. Once the investigation of offence is completed any police officer may handle the case. References
1. 2005 CrLJ 4314 2. MANU/UP/0421/2008 3. (2008) 2 GLR 1134 4. MANU/PH/0326/2010 5. (2010)ILR 1Delhi54 6. MANU/PH/0790/2008 7. MANU/KE/0139/2010 8. 2006GLH(26)711 9. 2011(3)ACR3114 10. Inserted by Information Technology (Amendment) Act, 2008 11. Quoting from the case of DPP v. Collins [2006] UKHL 40 [6]: The genealogy of [s. 127(1) of the Communication Act] 12. Inserted by Information Technology (Amendment) Act, 2008 13. Inserted by Information Technology (Amendment) Act, 2008 14. 2010(2)KLJ458 15. MANU/PH/0506/2011 16. Inserted by Information Technology (Amendment) Act, 2008 17. 2010(2)KLJ458
18. http://www.indianexpress.com/news/womans-exhusband-arrested-undercyber-crime-charges/1128109; last visited on 21.07.2013 19. Inserted by Information Technology (Amendment) Act, 2008 20. MANU/PH/3305/2011 21. 2007(2) Law Herald (Punjab & Haryana) 2225. 22. 2011(3)GLT813 23. Inserted by Information Technology (Amendment) Act, 2008 24. 2007(3)RCR(Criminal)579 25. MANU/KE/0423/2010 26. 2010(4)BomCR866, 2009(111)BOMLR4629 27. 2008CriLJ4107, (2008)ILR 1Delhi151 28. Inserted by Information Technology (Amendment) Act, 2008 29. Inserted by Information Technology (Amendment) Act, 2008 30. Inserted by Information Technology (Amendment) Act, 2008 31. Inserted by Information Technology (Amendment) Act, 2008 32. MANU/TN/3055/2010 33. Inserted by Information Technology (Amendment) Act, 2008 34. Inserted by Information Technology (Amendment) Act, 2008 35. Substitution of words digital signature by words electronic signature by ITAA 2008 36. Inserted by Information Technology (Amendment) Act, 2008 37. Substitution of words digital signature by words electronic signature by ITAA 2008 38. Substitution of words digital signature by words electronic signature by ITAA 2008 39. Substitution of words digital signature by words electronic signature by ITAA 2008 40. 2008(38)PTC288(Del) 41. Inserted by Information Technology (Amendment) Act, 2008 42. Inserted by Information Technology (Amendment) Act, 2008
CHAPTER XII
INTERMEDIARIES NOT TO BE LIABLE IN CERTAIN CASES

Section 79: Exemption from liability of intermediary in certain cases- (1) Notwithstanding anything contained in any law for the time being in force but subject to the provisions of sub-sections (2) and (3), an intermediary shall not be liable for any third party information, data, or communication link hosted by him. (2) The provisions of sub-section (1) shall apply if(a) the function of the intermediary is limited to providing access to a communication system over which information made available by third parties is transmitted or temporarily stored; or (b) The intermediary does not(i) initiate the transmission, (ii) Select the receiver of the transmission, and (iii) Select or modify the information contained in the transmission; (c) The intermediary observes due diligence while discharging his duties under this Act and also observes such other guidelines as the Central Government may prescribe in this behalf. (3) The provisions of sub-section (1) shall not apply if(a) The intermediary has conspired or abetted or aided or induced whether by threats or promise or otherwise in the commission of the un-
lawful act ; (b) upon receiving actual knowledge, or on being notified by the appropriate Government or its agency that any information, data or communication link residing in or connected to a computer resource controlled by the intermediary is being used to commit the unlawful act, the intermediary fails to expeditiously remove or disable access to that material on that resource without vitiating the evidence in any manner. Explanation:- For the purpose of this section, the expression third party information means any information dealt with by an intermediary in his capacity as an intermediary. The intermediary is needed by the originator and addressee, as he is a person who on behalf of another person receives, stores or transmits electronic messages or provides any service with respect to that electronic message. Prior to the amendment of 2008 the intermediately was liable to any civil wrong as well as the criminal offence in this act. However the amendment of 2008 brings in section 67C which fixed the criminal liability of intermediary. The non obstante clause indicates that the liability of the intermediary under this section is an exception to his liability under any other law for the time being in force. Section 79(1) that subject to the provisions of sub section (2) and (3) of this section, an intermediary shall not be liable for any third party information or data made available by him or communication link made available or hasted by him. The section 79 (2) provides that the protection given to the intermediary under provision of subsection 1 only if the either the function of the intermediary is limited to providing access to a communication system or intermediary does not initiate the transmission or interfere with the process of selecting the receiver and no interference in the selection or modification in the information contained in the transmission. Another condition for the application of section 79 is the application of due diligence in observing the government rules and regulations. Over the period of time government for the smooth functioning of the system bought in certain rules such as :
The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 The Information Technology (Intermediaries Guidelines) Rules, 2011 The Information Technology (Guidelines for Cyber Cafe) Rules, 2011 The Information Technology (Electronic Service Delivery) Rules, 2011 As per section 79 (3) the protection given to the intermediary under provision of section 79(1) shall not apply if the intermediary has conspired or abetted or aided or induced, whether by threats or promise or otherwise in the commission of unlawful act or upon receiving actual knowledge, or on being notified by the appropriate Government or its agency that any information, data or communication link residing in or connected to a computer resource controlled by the intermediary is being used to commit the unlawful act, the intermediary fails to expeditiously remove or disable access to that material on that resource without vitiating the evidence in any manner. Having received the knowledge that the information is being used for the commission of unlawful act, the intermediary fails to expeditiously remove it, he shall be liable to punishment in accordance with section 67C of this act. The Information Technology (Intermediaries Guidelines) rules 2011 of India have raised many eyebrows in the past. Internet intermediaries have shown their discomfort with the applicability of these intermediary guidelines. The desire of regulation of social media in India has also added another perspective to this issue. Information Technology (Intermediary Guidelines) Rules, 2011; which were notified by the Ministry of Information Technology of the Government of India on April 11, 2011. The guidelines are primarily meant for establishing Internet intermediary liability in India. Internet intermediaries law and liability in India has become very stringent after the passing of the intermediary guidelines. These guidelines have introduced the concept of cyber law due diligence in India. Naturally, cyber due diligence for Indian companies, cyber due diligence for online payment transferors in India, cyber due diligence for foreign websites in India, etc have now been
officially introduced in India. The Rule that appears to be giving sleepless nights to intermediaries is Rule 3, which has 11 sub-rules. Only those sub-rules of Rule 3 which are relevant are reproduced below: 3. Due diligence to be observed by intermediary The intermediary shall observe following due diligence while discharging his duties, namely: (1) The intermediary shall publish the rules and regulations, privacy policy and user agreement for access-or usage of the intermediary's computer resource by any person. (2) Such rules and regulations, terms and conditions or user agreement shall inform the users of computer resource not to host, display, upload, modify, publish, transmit, update or share any information that (a) belongs to another person and to which the user does not have any right to; (b) is grossly harmful, harassing, blasphemous defamatory, obscene, pornographic, paedophilic, libellous, invasive of another's privacy, hateful, or racially, ethnically objectionable, disparaging, relating or encouraging money laundering or gambling, or otherwise unlawful in any manner whatever; (c) Harm minors in any way; (d) Infringes any patent, trademark, copyright or other proprietary rights; (e) violates any law for the time being in force; (f) Deceives or misleads the addressee about the origin of such messages or communicates any information which is grossly offensive or menacing in nature; (g) Impersonate another person; (h) Contains software viruses or any other computer code, files or programs designed to interrupt, destroy or limit the functionality of any computer resource; (i) Threatens the unity, integrity, defence, security or sovereignty of India, friendly relations with foreign states, or public order or causes incitement to the commission of any cognisable offence or prevents investigation of any offence or is insulting any other nation. (3) The intermediary shall not knowingly host or publish any information or shall not initiate the transmission, select the receiver
of transmission, and select or modify the information contained in the transmission as specified in sub-rule (2): Provided that the following actions by an intermediary shall not amount to hosting, publishing, editing or storing of any such information as specified in sub-rule: (2) (a) temporary or transient or intermediate storage of information automatically within the computer resource as an intrinsic feature of such computer resource, involving no exercise of any human editorial control, for onward transmission or communication to another computer resource; (b) removal of access to any information, data or communication link by an intermediary after such information, data or communication link comes to the actual knowledge of a person authorised by the intermediary pursuant to any order or direction as per the provisions of the Act; (4) The intermediary, on whose computer system the information is stored or hosted or published, upon obtaining knowledge by itself or been brought to actual knowledge by an affected person in writing or through email signed with electronic signature about any such information as mentioned in sub-rule (2) above, shall act within thirty six hours and where applicable, work with user or owner of such information to disable such information that is in contravention of sub-rule (2). Further the intermediary shall preserve such information and associated records for at least ninety days for investigation purposes. The common assumption appears to be that Sub-rule 4 requires the intermediary to take down material upon receipt of notice from an affected person within 36 hours, without asking any questions or without having the freedom to apply his mind. I dont think this assumption is reflective of the true position of the law. This is because sub-rule 4 says the intermediary shall act within 36 hours and where applicable, work with user or owner of such information to disable such information that is in contravention of sub-rule (2). The reference in the provision is to "information that is in contravention of sub-rule(2)", and not information that is claimed by the aggrieved person as contravening sub-rule (2). Therefore, there is no requirement to blindly take down material within 36 hours just because notice has been received from an
affected person. The only requirement is to "act within 36 hours", which means to do something concrete to redress the grievance of the affected person. What happens when the "affected person" claims that information sought to be taken down attracts sub-rule 2(d), which refers to infringement of IP rights? Here too, the caveat applies. This means the intermediary has the right to determine if the information sought to be taken down is indeed infringing the IP rights of the affected party. This is also borne out from an interpretation of Sections 79, 81 and Proviso to Section 81. A combined reading of Sections 79, 81 and the Proviso to 81 bears out that Section 79 prevails over any provision contained in any law, which includes all other provisions of the Information Technology Act (including Section 81 of the Act). Section 81 says the provisions of the IT Act (including Section 79) shall prevail over any other law (which means laws other than the IT Act). The Proviso to Section 81 says that the exception to the over-riding effect of the IT Act under Section 81 are the rights available to any person under the Copyright Act or the Patents Act. This means that neither Section 79 nor Section 81 or any other provision of the IT Act truncates or limits the exercise of the legitimate rights available to any person under the Copyright Act or the Patents Act. Critically, the reference to any person in the Proviso is not just to a right owner. In fact, it includes all third parties who are entitled to exercise fair use and fair dealing rights under the Copyright Act and Patents Act. This includes intermediaries. Therefore, an intermediary has the right to decide whether or not the material sought to taken down by an IP right owner amounts to an infringement. If the material does not infringe any right, and has been uploaded in exercise of the intermediarys legitimate rights under the Copyright or Patents Act, he need not take down the material. When lots of doubt and protests were raised against these guidelines, the matter reached the parliamentary corridors. The parliamentary standing committee on subordinate legislation has issued a report in which it has criticised the government and asked it to make changes to IT rules that govern internet-related cases in India. It found many ambiguities in the existing intermediary guidelines and
It said in the report that multiple clauses in the laws had inherent ambiguity and that discrepancies exist in the governments stand on whether some rules are mandatory or only of advisory nature. Now the department of electronics and information technology has issued a clarification in this regard. The clarification says that these Rules provide a due diligence framework to be observed by intermediary while discharging his duties. Further, the grievance officer of the intermediary shall redress such complaints promptly but in any case within one month from the date of receipt of complaint in accordance with sub-rule (11) of Rule 3. The intermediary should have a publicly accessible and published grievance redressal process by which complaints can be lodged. Section 79 under IT Amendment Act, is purported to be a safe harbor provision modeled on the EU Directive 2000/31. However, Information Technology Amendment Act 2008 left a lot to be desired. Both EU and USA provide specific exclusion to internet service providers under the respective legislations. In order to clarify the issue and put the controversy to rest, Indian legislators need to insert a similar provision proving immunity to ISP in the Copyright Act, 1957. In Google India Pvt. Ltd.Vs. VinayRai and Anr.1 The honorable court held that Petitioner was neither service provider nor platform on which objectionable material had been loaded; Therefore, Petitioner was on a better footing and was exempted under Section 79 of Act. In JCB India Ltd. Vs. I.P . Address: 122.163.98.166 and Ors.2 Court held that The plaintiff submits that since these acts have been committed using computers, networks and the Internet the Information Technology Act, 2000 applies to the present case. It is submitted that acts of the fourth defendant amount to hacking within Section 66 of the Information Technology Act, 2000. It is alleged that through the aforesaid acts, the applicant has unlawfully appropriated the plaintiffs trade secrets and confidential information and moreover, violated the plaintiffs copyright in the drawings and data. Defendant argued that the essence of the cause of action in this suit is unauthorized access and transmitting of data stored in computers and computer networks, which is an offence termed as
hacking under Section 66 of the IT Act. The cause of action against the other defendants in the suits are in the nature of their being service providers for the emails through which the applicant allegedly unlawfully transmitted the data and drawings. Such service providers, it was contended would be liable under Section 79 of the IT Act. Further, Section 43 of the IT Act, especially Clauses (a) and (b) state that in case a person accesses or secures access to such computer or computer networks, or downloads copies or extracts any data from any such computer or computer network without the permission of the owner or any other person in charge of such system or network, is liable to pay damages by way of compensation. It was argued these provisions must be read with Section 46, under which the power to adjudicate upon instances of contravention of the provisions of the Act has been exclusively conferred on the Adjudication Officer appointed by the Central Government. Section 61 explicitly bars the institution of a civil suit, in respect of any matter which and adjudicating officer under the Act is empowered to determine. Therefore, in light of this bar of jurisdiction of the civil court coupled with the fact that the plaintiff has also preferred a complaint under the IT Act, that this Court lacks jurisdiction, and should reject the suit. Even if some of the causes pleaded by the suit are seemingly barred, yet this Court should not reject the plaint on the ground of the relief being barred in law; that can be gauged only at the final stage, having regard to the composite nature of the claims in the pleadings. For these reasons, the application for rejection of plaint cannot succeed. In Sanjay Kumar KediaVs. Narcotics Control Bureau and Anr.3; Question was raised that whether Appellant and his associates not innocent intermediaries or network service providers as defined in Section 79 of Information Technology Act. It was argued that said business is only facade and camouflage for more sinister activity. However the court held that Section 79 will not grant immunity to accused having violated provisions of N.D.P .S. Act, i.e., Sections 24 and 29. As Section 79 gives immunity from prosecution for offence only under Technology Act, it is not possible to give finding under Section 37 of N.D.P .S. Act for granting bail.
Under the Information Technology Amendment Act, 2008, Section 79 has been modified to the effect that an intermediary shall not be liable for any third party information data or communication link made available or hosted by him. This is however subject to following conditions: the function of the intermediary is limited to providing access to a communication system over which information made available by third parties is transmitted or temporarily stored or hosted; the intermediary does not initiate the transmission or select the receiver of the transmission and select or modify the information contained in the transmission; the intermediary observes due diligence while discharging his duties. As a result of this provision, social networking sites like Facebook, Twitter, Orkut etc. would be immune from liability as long as they satisfy the conditions provided under the section. Similarly, Internet Service Providers (ISP), blogging sites, etc. would also be exempt from liability. However, an intermediary would loose the immunity, if the intermediary has conspired or abetted or aided or induced whether by threats or promise or otherwise in the commission of the unlawful act. Sections 79 also introduced the concept of notice and take down provision as prevalent in many foreign jurisdictions. It provides that an intermediary would lose its immunity if upon receiving actual knowledge or on being notified that any information, data or communication link residing in or connected to a computer resource controlled by it is being used to commit an unlawful act and it fails to expeditiously remove or disable access to that material. VyaktiVikas Kendra, India Public Charitable Trust Thr Trustee Mahesh Gupta & Ors Vs. Jitender Bagga & Anr4; The four plaintiffs, namely, VyaktiVikas Kendra, India Public Charitable Trust, MrGautamVig, Mrs. BhanumatiNarsimhan and Mrs. SharmilaMurarka, have filed present suit against the defendants for damages to tune of Rs.5,09,00,000/-, permanent and mandatory injunction, mainly on the ground that they are aggrieved, hurt and immensely concerned on account of certain highly defamatory materials posted on an internet website by the name http://www.blogger. com/ by one MrJitenderBagga, the defendant No.1 herein.
The said website is owned by Google, the defendant No.2. It is a Blog Publishing Service which allows people to create and publish a Blog. The defendant No.1 has been indiscriminately sending e-mails and has published a large number of blogs on the website http:// www.blogger.com/, which according to them is highly vulgar, disgusting and abusive references towards His Holiness Sri Sri. Ravi Shankar, owner of Art of Living Foundation, and towards various other persons associated with the Art of Living. Plaintiff No. 1, VyaktiVikas Kendra, India Public Charitable Trust, is a registered Public Charitable Trust constituted to implement and promote the spiritual, educational, social and developmental activities for The Art of Living in India. The Art of Living, founded in 1981, is one of the worlds largest volunteer based, humanitarian and educational organizations inspired by His Holiness Sri. Ravi Shankars vision of creating a stress-free, violence-free society. The plaintiff No. 2, Mr. GautamVig is a devout follower of His Holiness Sri Sri Ravi Shankar. The plaintiff No. 3, Mrs. BhanumatiNarsimhan is His Holiness Sri Sri Ravi Shankars sister and an Art of Living teacher. The plaintiff No. 3 is personally a victim of the defendant No. 1s defamatory acts. The plaintiff No. 4, Mrs. SharmilaMurarka is an Art of Living Teacher. Plaintiff No. 4 is also personally a victim of defendant No. 1s defamatory acts. The defendant No. 1 has created and published various materials on the Internet, which are highly defamatory to the plaintiffs. In para 10, there is a table containing defamatory materials to the plaintiffs, the Art of Living Foundation, its spiritual head Sri Sri Ravi Shankar and his family members. It was argued that Defendant No.2 is an intermediary within the definition of Section2(1) (w)and Section79of the Information Technology Act, 2000. Under Section79 (3)(b)of the IT Act,2000, defendant No.2 is under an obligation to remove unlawful content if it receives actual notice from the affected party of any illegal content being circulated/published through its service. He is bound to comply with Information Technology (Intermediaries Guidelines) Rules 2011. Rule 3(3) of the said rules read with Rule 3(2) requires an intermediary to observe due diligence or publish any information that is grossly harmful, defamatory, libellious, disparaging or
otherwise unlawful. Rule 3(4) of the said rule provides obligation of an intermediary to remove such defamatory content within 36 hours from receipt of actual knowledge. The said rule expressly provides as follows The Intermediary, on whose computer system the information is stored or hosted or published, upon obtaining knowledge by itself or been brought to actual knowledge by an affected person in writing or through e-mail signed with electronic signature about any such information as mentioned in sub rule (2) above, shall act within 36 hours and where applicable, work with user or owner of such information to disable such information that is in contravention of sub rule (2). However court held that; In view of the foregoing facts and reasons mentioned above, it appears that the plaintiffs have been able to make out a strong prima facie case of passing of ex-parte interim order. The balance of convenience also lies in favour of the plaintiffs and against the defendants. References
1. 2. 3. 4. MANU/DE/0170/2012 MANU/DE/2584/2008 (2008)2SCC294 MANU/DE/1993/2012
CHAPTER XII-A
EXAMINER OF ELECTRONIC EVIDENCE

Section 79-A: Central Government to notify Examiner of Electronic Evidence - The Central Government may, for the purposes of providing expert opinion on electronic form evidence before any court or other authority specify, by notification in the official Gazette, any department, body or agency of the Central Government or a State Government as an Examiner of Electronic Evidence. Explanation:- For the purpose of this section, Electronic Form Evidence means any information of probative value that is either stored or transmitted in electronic form and includes computer evidence, digital audio, digital video, cell phones, digital fax machines.1 In tune with the newly added section 45A of the Indian evidence act, which provides that when in a proceeding the court has to form an opinion on any matter relating to any information transmitted or stored in any computer resource or any other electronic or digital form, the opinion of the examiner of electronic evidence referred in section 79A of information technology act 2000 is a relevant fact. However the explanation of the section 45A says that for this purpose the examiner of electronic evidence shall be an expert. To fulfill the need of expert opinion under 45 A central government has the power in section 79 A to notify in official gazette the examiner of electronic evidence. Electronic evidences can be collected from many sources. Obvious sources include computer, cell phones, digital cameras, hard drives, pen drives, CD-ROM, etc. non obvious sources include setting of digital thermometer, black boxes, RFID tags and web pages, servers, data retention devices, etc.
Inserted by Information Technology (Amendment) Act, 2008
CHAPTER XIII
MISCELLANEOUS
Section 80: Power of Police Officer and Other Officers to Enter, Search, etc.- (1) Notwithstanding anything contained in the Code of Criminal Procedure, 1973 (2 of 1974), any police officer, not below the rank of a Inspector, or any other officer of the Central Government or a State Government authorised by the Central Government in this behalf may enter any public place and search and arrest without warrant any person found therein who is reasonably suspected of having committed or of committing or of being about to commit any offence under this Act Explanation - For the purposes of this sub-section, the expression Public Place includes any public conveyance, any hotel, any shop or any other place intended for use by, or accessible to the public. (2) Where any person is arrested under sub-section (1) by an officer other than a police officer, such officer shall, without unnecessary delay, take or send the person arrested before a magistrate having jurisdiction in the case or before the officer-in-charge of a police station. (3) The provisions of the Code of Criminal Procedure, 1973 shall, subject to the provisions of this section, apply, so far as may be, in relation to any entry, search or arrest, made under this section. Unlike section 41 of Cr.P .C which lays down that any police officer may without an order from magistrate and without a warrant, arrest any person who has been concerned in any cognizable offence or against whom a reasonable complaint has been made. However this section restricts any police officer and no officer below the rank of inspector or any officer of central government or officer appointed by state government but authorized by central
government may enter public places i.e. such as cyber cafes; search there any if found it required may arrest with warrant any person who being suspected or having committed or committing or about to commit any offence under this act. However sub section 2 says that in case of such arrest the arresting authority without unnecessary delay cause to bring the arrested person before nearest magistrate having jurisdiction or police officer incharge of the police station. Withal as per sub section 3 if any offence is committed by the person under this act the procedure laid down in Cr.P .C will be applicable. These procedures include search, entry, arrest etc. In Shiva Jatan Thakur (Dr.) Vs.Union of India &Ors.;1 Court held that from a bare reading of Section80(1), it becomes clear that a police officer, not below the rank of Inspector, is empowered to investigate an offence under the I. T. Act. Such empowerment, which Section 80(1) envisages, is required in respect of an officer other than a police officer of the rank of Inspector. It is, therefore, impossible to agree with accused that unless a police officer is specially empowered by the Central Government or the State Government, as the case may be, he is not competent to investigate an offence under the I. T. Act. As already indicated hereinbefore, every police officer, not below the rank of Inspector, is competent, in the light of the provisions of Section80to investigate an offence created under the I T. Act. Section 81: Act to have Overriding effect- The provisions of this Act shall have effect notwithstanding anything inconsistent therewith contained in any other law for the time being in force. Provided that nothing contained in this Act shall restrict any person from exercising any right conferred under the Copyright Act 1957 or the Patents Act ,1970 (39 of 1970). Accordingly this section will have an overriding effect over other acts. The proviso to this section provides that the provision of this act shall not restrict any person from exercising any right conferred under copy right or patent laws. But relying upon the Meharban khan vs. UOI the provisions of this act will prevail over the provisions of limitation act.In Shiva Jatan Thakur (Dr.) Vs.Union of India &Ors.2 Courtaffirms
the overriding effect and defines the jurisdiction issues in detail. There can be no dispute that the Information Technology Act is a special Act and, in terms of the provisions of Section4of the Code of Criminal Procedure, read with Section81of the I.T. Act, the offences, under the I.T. Act shall be investigated, inquired into, tried and, otherwise, dealt with according to the provisions contained in the Code of Criminal Procedure, subject to, however, any provision (s), which may be contained in the I.T. Act, indicating otherwise. The First Schedule to the Code of Criminal Procedure divides the entire Code into two parts, viz., Part-I and Part-II. Part-I deals with offences under the Indian Penal Code and specifies as to whether a given offence is cognizable or non-cognizable, boilable or non-boilable, and who is competent to try the offence, whether aMagistrate or a Court of Session. Part-II deals with other laws, which obviously, means and includes special penal acts, such as, the I.T. Act. Part-II classifies the offences into cognizable, non-cognizable, boilable and non-boilable, depending, substantially, upon the length of imprisonment prescribed for a given offence. Even the question as to who can try an offence, under a special law, is answered by Part-II on the basis of the length of imprisonment prescribed. For instance, if an offence is punishable with imprisonment for less than three years or with fine only, such an offence is non-cognizable, boilable and triable by any Magistrate; whereas, if an offence is punishable with imprisonment for three years and upwards but not more than seven years, then, the offence is cognizable, non-bailable and is triable by a Magistrate of First Class and, if an offence is punishable with death, imprisonment for life, or imprisonment for more than seven years, the offence is cognizable, non-boilable and is triable by a Court of Session. Admittedly, the I.T. Act does not specify as to who would or which Court would try the offences, which the I.T. Act has created. A cross-examination of the offences, which have been created in Chapter IV of the I. T. Act, shows that the offences are punishable either by imprisonment up to three years or with fine, or with both, but some of the offences are punishable by imprisonment of seven years and even imprisonment for life. Court further held that Considering the fact that the offences, which have been mentioned under Chapter XI, are all punishable with imprisonment for three years and above, there can be no
escape from the conclusion that all these offences are cognizable offences and, being cognizable offences, the police is competent to register the offences and investigate the same, the only limitation being that a police officer in order to be competent to investigate the case, must be of the rank of, at least, an Inspector. Section 81-A: Application of the Act to Electronic cheque and Truncated cheque- (1) The provisions of this Act, for the time being in force, shall apply to, or in relation to, electronic cheques and the truncated cheques subject to such modifications and amendments as may be necessary for carrying out the purposes of the Negotiable Instruments Act, 1881 (26 of 1881) by the Central Government, in consultation with the Reserve Bank of India, by notification in the Official Gazette. (2) Every notification made by the Central Government under subsection (1) shall be laid, as soon as may be after it is made, before each House of Parliament, while it is in session, for a total period of thirty days which may be comprised in one session or in two or more successive sessions, and if, before the expiry of the session immediately following the session or the successive sessions aforesaid, both houses agree in making any modification in the notification or both houses agree that the notification should not be made, the notification shall thereafter have effect only in such modified form or be of no effect, as the case may be; so, however, that any such modification or annulment shall be without prejudice to the validity of anything previously done under the notification. Explanation: For the purpose of this Act, the expression electronic cheque and truncated cheque shall have the same meaning as assigned to them in section 6 of the Negotiable Instruments Act, 1881 (26 of 1881).3 The provisions of this act shall apply to the electronic cheques or truncated cheques subject to such modification as the central government may notify in consultation with RBI. Explanation to this section in consonance with section 6 of NI act, defines a cheque in the electronic form means a cheque which contains the exact mirror image of a paper cheque and is generated,
written or signed in a secure system ensuring the minimum safety standards with the use of electronic/ digital signature and asymmetric crypto system. A truncated cheque means a cheque which is truncated during the course of a clearing cycle, either by the clearing house or by the banks weather paying or receiving payments, immediately on generation of an electronic image for transmission, substituting the further physical movement of the cheque in writing. Section 82: Chairperson, Members, Officers and Employees to be Public Servants The Chairperson, Members and other officers and employees of a Cyber Appellate Tribunal, the Controller, the Deputy Controller and the Assistant Controllers shall be deemed to be Public Servants within the meaning of section 21 of the Indian Penal Code. Section 82 says that the chairperson, member, other officers and employees of a cyber appellate tribunal, the controller, the deputy controller and the assistant controller shall be deemed to be public servants within the meaning of section 21 of IPC. However certifying officer or adjudicating officers are not public servants under section 21 of IPC. The central government or state government officers on deputation are not a public servant under section 21 IPC. Section 83: Power to Give Directions- The Central Government may give directions to any State Government as to the carrying into execution in the State of any of the provisions of this Act or of any rule, regulation or order made there under. In order to ensure that each of the state government does not interfered by its action within the administrative policies of the central government and does not undermine the utility of the nation, certain powers of the administrative control over the states have been given to the central government. This section in consonance with article 256 of Indian constitution ensures that it shall be the duty of each state to carry into execution the directions given by the central government about the implementation of the provisions of this act, rules, regulations and orders made there under.
Section 84: Protection of Action taken in Good FaithNo suit, prosecution or other legal proceeding shall lie against the Central Government, the State Government, the Controller or any person acting on behalf of him, the Chairperson, Members, Adjudicating Officers and the staff of the Cyber Appellate Tribunal for anything which is in good faith done or intended to be done in pursuance of this Act or any rule, regulation or order made there under. This provision gives protection to the central government, the state government, the controller or any person acting on behalf of him, the chairperson and members and adjudicating officer and the staff of the cyber appellate tribunal in respect of anything done or intended to be done in good faith. This protection extends to all kinds of civil or criminal prosecution or proceedings.However it requires that such act must have been done in good faith and not otherwise. It also extends towards checking the colorable use of the powers given in. Section 84A:Modes or methods for encryption The Central Government may, for secure use of the electronic medium and for promotion of e-governance and e-commerce, prescribe the modes or methods for encryption.4 Amendment of 2008 brings in this section and suggests that central government may prescribe rules and regulations for the method of encryption for secure use of the electronic medium and promotion of e-governance as well as e-commerce. Furthermore Information Technology (Procedure and Safeguards for Interception, Monitoring, and Decryption of Information) Rules 2009 are framed by the central government. Section 84-B: Punishment for abetment of offencesWhoever abets any offence shall, if the act abetted is committed in consequence of the abetment, and no express provision is made by this Act for the punishment of such abetment, be punished with the punishment provided for the offence under this Act. Explanation: An Act or offence is said to be committed in consequence of abetment, when it is committed
in consequence of the instigation, or in pursuance of the conspiracy, or with the aid which constitutes the abetment.5 In consonance with section 107 IPC this section says that if a person abets the commission of a crime mentioned in section 65 to 75 of this act, he shall be liable to punishment provided for the offence under this act. The explanation attached to this section lays down the same law as are laid down in section 107 IPC. Section 84-C: Punishment for attempt to commit offences- Whoever attempts to commit an offence punishable by this Act or causes such an offence to be committed, and in such an attempt does any act towards the commission of the offence, shall, where no express provision is made for the punishment of such attempt, be punished with imprisonment of any description provided for the offence, for a term which may extend to one-half of the longest term of imprisonment provided for that offence, or with such fine as is provided for the offence or with both.6 In tune with section 511 IPC and almost similar language this section provides that whoever attempts to commit an offence punishable by this act, or causes such an offence to be committed, and attempts to do any act towards the commission of the offence, shall where no express provision is made by IPC for the punishment of such attempt be punished with imprisonment of any description provided for the offence for a term which may extent to one half of the imprisonment of the life or, one half of the longest term of imprisonment provided for that offence or such fine as is provided for the offence or both. Section 85: Offences by Companies- (1) Where a person committing a contravention of any of the provisions of this Act or of any rule, direction or order made there under is a Company, every person who, at the time the contravention was committed, was in charge of, and was responsible to, the company for the conduct of business of the company as well as the company, shall be guilty of the contravention and shall be liable to be proceeded against and punished accordingly:
Provided that nothing contained in this sub-section shall render any such person liable to punishment if he proves that the contravention took place without his knowledge or that he exercised all due diligence to prevent such contravention. (2) Notwithstanding anything contained in sub-section (1), where a contravention of any of the provisions of this Act or of any rule, direction or order made there under has been committed by a company and it is proved that the contravention has taken place with the consent or connivance of, or is attributable to any neglect on the part of, any director, manager, secretary or other officer of the company, such director, manager, secretary or other officer shall also be deemed to be guilty of the contravention and shall be liable to be proceeded against and punished accordingly. Explanation - For the purposes of this section i. Company means any Body Corporate and includes a Firm or other Association of individuals; and ii. Director, in relation to a firm, means a partner in the firm. This section makes such a person liable for the offence who is in charge of or the responsible for the company. This section makes such a person liable for the offences. Say for example if a director tempers with the computer source documents, such director shall be punishable under section 65 , similarly where the partner of partnership firm hacks in the computer system shall be liable under section 66 of this act. As per the proviso to this section if that person proves that the contravention or the offence took place without his knowledge or that he exercised all due diligence to prevent such contravention or offence, he shall not be liable under this section. However section 79 of this act lays down that an intermediary shall not be liable for any third party information or data made available by him if he proves that the offence or contravention was committed either without his knowledge or he has exercised all due diligence to prevent the commission of such contravention or offence. As per sub section 2 where the contravention of any provision
of this act has been committed by a company and it is proved that the contravention has taken place with the consent of the director, manager, secretary or other officers of the company or contravention has taken place in connivance of any director, manager, secretary or other officer of the company or contravention is attributable to any neglect on the part of any director, manager, secretary or other officer of the company such officers shall be liable to be proceeded against and punished accordingly. In Aneeta Hada Vs. Godfather Travels and Tours Pvt. Ltd. AND Avnish Bajaj Vs. State AND Ebay India Pvt. Ltd. Vs. State and Anr.7 Appeal filed against order passed by High Court for the Criminal Liability to Offence under Sections 67 and 85 of Information Technology Act, 2000. High Court directed offences under Section 67 read with Section 85 of Act 2000, However Supreme Court heldanalysis pertaining to Section 141 of Act 1881 would squarely apply to Act 2000. Thus, director could not have been held liable for offence under Section 85 of Act 2000. Company was not arraigned as an Accused. Hence, proceeding as initiated in existing incarnation was not maintainable either against company or against director. Proceedings initiated against Appellants/Managing Director of company, as well as company in present form, were quashed. Section 86: Removal of Difficulties- (1) If any difficulty arises in giving effect to the provisions of this Act, the Central Government may, by order published in the Official Gazette, make such provisions not inconsistent with the provisions of this Act as appear to it to be necessary or expedient for removing the difficulty: Provided that no order shall be made under this section after the expiry of a period of two years from the commencement of this Act. (2) Every order made under this section shall be laid, as soon as may be after it is made, before each House of Parliament. This section is meant to enable the central government to resolve difficulties arising particularly in relation to the transition period. However no provision can be made under the section which runs counter to any of the express provision of the act. Nevertheless this section is not meant to excessive delegation of powers. While exercising this provision the central government
can not change, disfigure or do violence to the basic structure and primary features of the act. In no case it can under the guise of removing a difficulty, change the scheme and essential provisions of the act. However a removal of difficulty order was issued by the central government on 19th September 2002; and amend sections 25, 40, 42, 63, and 89. Section 87: Power of Central Government to make rules - (1) The Central Government may, by notification in the Official Gazette, make rules to carry out the provisions of this Act. (2) In particular, and without prejudice to the generality of the foregoing power, such rules may 2 provide for all or any of the following matters, namely:(a) the conditions for considering reliability of electronic signature or electronic authentication technique under sub-section (2) of section 3-A;8 (aa) the procedure for ascertaining electronic signature or authentication under sub-section (3) f section 3-A;9 (ab) the manner in which any information or matter may be authenticated by means of electronic signature under section 5;10 (b) the electronic form in which filing, issue, grant or payment shall be effected under sub-section (1) of section 6; (c) the manner and format in which electronic records shall be filed or issued and the method of payment under sub-section (2) of section 6; (ca) the manner in which the authorised service provider may collect, retain and appropriate service charges under sub-section (2) of section 6-A;11 (d) the matters relating to the type of Electronic Signature12, manner and format in which it may be affixed under section 10; (e) the manner of storing and affixing electronic signature creation data under section 15;13
(ea) the security procedures and practices under section 16;14 (f) the qualifications, experience and terms and conditions of service of Controller, Deputy Controllers and Assistant Controllers15, other officers and employees under section 17; (g) []16 (h) the requirements which an applicant must fulfill under sub-section (2) of section 21; (i) the period of validity of license granted under clause (a) of sub-section (3) of section 21; (j) the form in which an application for license may be made under subsection (1) of section 22; (k) the amount of fees payable under clause (c) of sub-section (2) of section 22; (l) such other documents which shall accompany an application for license under clause (d) of sub-section (2) of section 22; (m) the form and the fee for renewal of a license and the fee payable there of under section 23; (ma) the form of application and fee for issue of Electronic Signature Certificate under section 35;17 (n) the form in which application for issue of a Electronic Signature18 Certificate may be made under sub-section (1) of section 35; (o) the fee to be paid to the Certifying Authority for issue of a Digital Signature Certificate under sub-section (2) of section 35; (oa) the duties of subscribers under section 40-A;19 (ob) the reasonable security practices and procedures and sensitive personal data or information under section 43-A;20 (p) the manner in which the adjudicating officer shall hold inquiry under sub-section (1) of section 46; (q) the qualification and experience which the adjudicating officer shall possess under sub-section (2) of section 46;
(r) the salary, allowances and the other terms and conditions of service of the Chairman and Members under section 52; (s) the procedure for investigation of misbehavior or incapacity of the Presiding Officer Chairman and Members under sub-section (3) of section 54; (t) the salary and allowances and other conditions, of service of other officers and employees under sub-section (3) of section 56; (u) the form in which appeal may be filed and the fee thereof under subsection (3) of section 57; (v) any other power of civil Court required to be prescribed under clause (g) of sub-section (2) of section 58; and (w) the powers and functions of the Chairperson of the Cyber Appellate Tribunal under section 52-A; (wa) the information, duration, manner and form of such information to be retained and preserved under section 67-C;21 (x) The Procedures and safeguards for interception, monitoring or decryption under sub-section (2) of section 69; (xa) the procedure and safeguards for blocking for access by the public under sub-section (2) of section 69-A;22 (xb) the procedure and safeguards for monitoring and collecting traffic data or information under sub-section (3) of section 69-B;23 (y) the information security practices and procedures for protected system under section 70; (ya) manner of performing functions and duties of the agency under sub-section (3) of section 70A;24 (yb) the officers and employees under sub-section (2) of section 70-B;25 (yc) salaries and allowances and terms and conditions of service of the Director General and other officers and employees under sub-section (3) of section 70-B;26
(yd) the manner in which the functions and duties of agency shall be performed under sub-section (5) of section 70-B;27 (z) the guidelines to be observed by the intermediaries under sub section (4) (2) of section 79; (za) the modes or methods for encryption under section 8-A28 (3) Every notification made by the Central Government under sub-section (1) of section 70-A and every rule made by it shall be laid, as soon as may be after it is made, before each House of Parliament, while it is in session, for a total period of thirty days which may be comprised in one session or in two or more successive sessions, and if, before the expiry of the session immediately following the session or the successive sessions aforesaid, both Houses agree in making any modification in the regulation or both Houses agree that the regulation should not be made, the regulation shall thereafter have effect only in such modified form or be of no effect, as the case may be; so, however, that any such modification or annulment shall be without prejudice to the validity of anything previously done under that regulation. This section talks about the limits within which the rules making powers of the central government could be exercised are contained in sub section (1) of section 87. Such rules can be made after previous publication by way of notification in the official gazette. Central government in tune with the section 87, made the Information Technology (Certifying Authorities) Rules, 2000 and Cyber Appellate Tribunal (Procedure) Rules, 2000. However the list given in sub section 2 is not exhaustive at all. It simply sets out by way of illustration certain matters on which rules are considered needed. Subsection 3 provides that every notification and rules shall be laid before each house of parliament. The parliament may modify or annul any rule and after its approval it shall come it to force. The rules framed by the central government may come into force without its approval by the parliament and in such case any modification or annulment made by the parliament shall be without prejudice to the validity of anything previously done under the rules and notification.
Neither of this sub section nor in sub section 1 and 2 of this section, these are words that the regulation shall have the same effect as if enacted under this act. In absence of these words court shall have the power to question the validity of the of the regulation Section 88: Constitution of Advisory Committee- (1) The Central Government shall, as soon as may be after the commencement of this Act, constitute a Committee called the Cyber Regulations Advisory Committee. (2) The Cyber Regulations Advisory Committee shall consist of a Chairperson and such number of other official and non-official members representing the interests principally affected or having special knowledge of the subject-matter as the Central Government may deem fit. (3) The Cyber Regulations Advisory Committee shall advise (c) the Central Government either generally as regards any rules or for any other purpose connected with this Act; (d) the Controller in framing the regulations under this Act; (4) There shall be paid to the non-official members of such Committee such traveling and other allowances as the Central Government may fix. Central Government constituted the cyber regulation advisory committee on 17.10.2000; consisting one chairman and twelve members. Minister in charge of information technology was appointed as chairman of the committee and the senior director of the ministry of information technology was appointed as member secretary. The advisory committee consists of chairman, official members and non official member. The only qualification to be a member of this committee is that they must represent interest principally affected or must have special knowledge of the subject matter. List of members In exercise of the powers conferred by section 88 of the Information Technology Act, 2000 (21 of 2000), the Central Government hereby constitutes the Cyber Regulation Advisory Committee,
consisting of the following, namely:1. Minister, Information Technology Chairman 2. Secretary, Legislative Department Member 3. Secretary, Ministry of Information Technology Member 4. Secretary, Department of Telecommunications Member 5. Finance Secretary Member 6. Secretary, Ministry of Defence Member 7. Secretary, Ministry of Home Affairs Member 8. Secretary, Ministry of Commerce Member 9. Deputy Governor, Reserve Bank of India Member 10. Shri T K Vishwanathan, Presently Member Secretary, Law Commission Member 11. President, NASSCOM Member 12. President, Internet Service Providers AssociationMember 13. Director, Central Bureau of Investigation Member 14. Controller of Certifying Authority Member 15. Information Technology Secretary by rotation from the States Member 16. Director General of Police by rotation from the StatesMember 17. Director, IIT by rotation from the IITs Member 18. Representative of CII Member 19. Representative of FICCI Member 20. Representative of ASSOCHAM Member 21. Senior Director, Ministry of Information Member Technology Secretary The work profile of the committee includes advise to central government either generally as regards to any rules or for any other purpose connected with this act. The advisory committee shall advise the controller of certifying authorities in framing regulations under this act. Section 89: Power of Controller to make Regulations(1) The Controller may, after consultation with the Cyber Regulations Advisory Committee and with the previous approval of the Central Government, by notification in the Official Gazette, make regulations consistent with this Act and the rules made there under to carry out the
purposes of this Act (2) In particular, and without prejudice to the generality of the foregoing power, such regulations may provide for all or any of the following matters, namelya. the particulars relating to maintenance of database containing the disclosure record of every Certifying Authority under clause (n) [Substituted for (m) vide amendment dated 19/09/2002] of section 18; b. the conditions and restrictions subject to which the Controller may recognize any foreign Certifying Authority under sub-section (1) of section 19; c. the terms and conditions subject to which a license may be granted under clause (c) of subsection (3) of section 21; d. other standards to be observed by a certifying authority under clause (d) of section 30; e. the manner in which the Certifying Authority shall disclose the matters specified in sub-section (1) of section 34; f. the particulars of statement which shall accompany an application under sub-section (3) of section 35; g. the manner by which a subscriber communicates the compromise of private key to the Certifying Authority under sub-section (2) of section 42; (3) Every regulation made under this Act shall be laid, as soon as may be after it is made, before each House of Parliament, while it is in session, for a total period of thirty days which may be comprised in one session or in two or more successive- sessions, and if, before the expiry of the session immediately following the session or the successive sessions aforesaid, both Houses agree in making any modification in the regulation or both Houses agree that the regulation should not be made, the regulation shall thereafter have effect only in such modified form or be of no effect, as the ease may be; so however, that any such modification or annulment shall
be without prejudice to the validity of anything previously done under that regulation. This section empowers the controller to make rules after consultation with the cyber regulation advisory committee, and with the previous approval of the central government and they must be consistent with this act and the rules made there under. It is clear with the language with the sub section 2 of this section is no impediment to the sub section 1. However the list of the sub section is not exhaustive at all. Sub section 3 provides that such regulations shall be laid before each house of parliament. The parliament may modify or annul any regulation and after its approval it will come into force. Neither of this sub section nor in sub section 1 and 2 of this section, these are words that the regulation shall have the same effect as if enacted under this act. In absence of these words court shall have the power to question the validity of the of the regulation. Section 90: Power of State Government to make rules- (1) The State Government may, by notification in the Official Gazette, make rules to carry out the provisions of this Act. (2) In particular, and without prejudice to the generality of the foregoing power, such rules may provide for all or any of the following matters, namely a. the electronic form in which filing, issue, grant receipt or payment shall be effected under sub-section (1) of section 6; b. for matters specified in sub-section (2) of section 6; c. [ ]29 (3) Every rule made by the State Government under this section shall be laid, as soon as may be after it is made, before each House of the State Legislature where it consists of two Houses, or where such Legislature consists of one House, before that House. Section 90 of the act empowers the state government to make rules by notification to carry out the provisions of the act. The matters in respect of which such rules may be made are specified therein. These matters relate to the electronic form in which filing, creation, grant, or payment shall be affected, and certain other
matters specified in sub section 2 of section 6. Section 91: Amendment of Act 45 of 1860. [Omitted by the Information Technology (Amendment) Act, 2008 (10 of 2008), Section 48 (w.e.f. 27-10-2009).]. Section 92: Amendment of Act 1 of 1872. [Omitted by the Information Technology (Amendment) Act, 2008 (10 of 2008), Section 48 (w.e.f. 27-10-2009).]. Section 93: Amendment of Act 18 of 1891. [Omitted by the Information Technology (Amendment) Act, 2008 (10 of 2008), Section 48 (w.e.f. 27-10-2009).]. Section 94: Amendment of Act 2 of 1934. [Omitted by the Information Technology (Amendment) Act, 2008 (10 of 2008), Section 48 (w.e.f. 27-10-2009).] References
1. MANU/GH/0513/2011 2. 2011(3)GLT813 3. Inserted by Information Technology (Amendment) Act, 2008 4. Inserted by Information Technology (Amendment) Act, 2008 5. Inserted by Information Technology (Amendment) Act, 2008 6. Inserted by Information Technology (Amendment) Act, 2008 7. (2012)5SCC661 8. Substituted by Information Technology (Amendment) Act, 2008 9. Inserted by Information Technology (Amendment) Act, 2008 10. Inserted by Information Technology (Amendment) Act, 2008 11. Inserted by Information Technology (Amendment) Act, 2008 12. Substitution of words digital signature by words electronic signature by ITAA 2008 13. Substituted by Information Technology (Amendment) Act, 2008 14. Inserted by Information Technology (Amendment) Act, 2008 15. Substituted by Information Technology (Amendment) Act, 2008 16. Omitted vide ITAA-2008 17. Inserted by Information Technology (Amendment) Act, 2008 18. Substitution of words digital signature by words electronic signature by ITAA 2008 19. Inserted by Information Technology (Amendment) Act, 2008 20. Inserted by Information Technology (Amendment) Act, 2008 21. Inserted by Information Technology (Amendment) Act, 2008 22. Inserted by Information Technology (Amendment) Act, 2008 23. Inserted by Information Technology (Amendment) Act, 2008 24. Inserted by Information Technology (Amendment) Act, 2008
25. Inserted by Information Technology (Amendment) Act, 2008 26. Inserted by Information Technology (Amendment) Act, 2008 27. Inserted by Information Technology (Amendment) Act, 2008 28. Inserted by Information Technology (Amendment) Act, 2008 29. Omitted by ITAA, 2008

Cyber and Technology Laws

Transféré par

Informations du document

Titre original

Copyright

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Cyber and Technology Laws

Transféré par

Droits d'auteur :

CYBER AND TECHNOLOGY LAWS

(Commentary on Information Technology Act, 2000 & Amendments of 2008)

2 Cyber and Technology Laws

Cyber and Technology Laws 3

CYBER AND TECHNOLOGY LAWS

4 Cyber and Technology Laws

Cyber and Technology Laws 5

6 Cyber and Technology Laws

VIPULL VINOD ASSISTANT PROFESSOR DRMLNLU, LUCKNOW

Cyber and Technology Laws 7

8 Cyber and Technology Laws

Cyber and Technology Laws 9

10 Cyber and Technology Laws

Cyber and Technology Laws 11

12 Cyber and Technology Laws

231 232 233

237 239 242 243

Cyber and Technology Laws 13

14 Cyber and Technology Laws

Cyber and Technology Laws 15

16 Cyber and Technology Laws

212 183 182 270

Cyber and Technology Laws 17

18 Cyber and Technology Laws

Cyber and Technology Laws 19

20 Cyber and Technology Laws

Cyber and Technology Laws 21

22 Cyber and Technology Laws

Cyber and Technology Laws 23

24 Cyber and Technology Laws

Whether ATM is computer?

Cyber and Technology Laws 25

26 Cyber and Technology Laws

Cyber and Technology Laws 27

28 Cyber and Technology Laws

Cyber and Technology Laws 29

30 Cyber and Technology Laws

Cyber and Technology Laws 31

32 Cyber and Technology Laws

Cyber and Technology Laws 33

34 Cyber and Technology Laws

Cyber and Technology Laws 35

36 Cyber and Technology Laws

Cyber and Technology Laws 37

in force in that area. References

38 Cyber and Technology Laws

DIGITAL SIGNATURE AND ELECTRONIC SIGNATURE

Cyber and Technology Laws 39

40 Cyber and Technology Laws

Cyber and Technology Laws 41

42 Cyber and Technology Laws

Cyber and Technology Laws 43

Types of Digital Signatures

44 Cyber and Technology Laws

Cyber and Technology Laws 45

46 Cyber and Technology Laws

Cyber and Technology Laws 47

48 Cyber and Technology Laws

Cyber and Technology Laws 49

50 Cyber and Technology Laws

Cyber and Technology Laws 51

52 Cyber and Technology Laws

Cyber and Technology Laws 53

54 Cyber and Technology Laws

Cyber and Technology Laws 55

56 Cyber and Technology Laws