Академический Документы
Профессиональный Документы
Культура Документы
40
CH. 6
CHAPTER 06
INFORMATION TECHNOLOGY ACT, 2000
6.1
INTRODUCTION
The first 17 Sections of the Act are largely based on Model Law on Electronic Commerce adopted by United
Nations Commission on International Trade Law (UNCITRAL) recommended by the General Assembly of the
United Nations on the 30th January, 1997 in drafting its new law.
UNCITRAL - Model Law on Electronic Commerce
This Model Law provides for equal legal treatment of users of electronic communication and paper based
communication. The General Assembly of United Nations by its Resolution No. 51/162 dated 30th January
1997 recommended that all States should give favourable considerations to the said Model Law when they
enact or revise their laws.
(a) To grant legal recognition for transactions carried out by means of Electronic Data Interchange and other
means of electronic communication commonly referred to as electronic commerce in place of paperbased methods of communication.
(b) To give legal recognition to Digital Signature for authentication of any information or matter which requires
authentication under any law
(c) To facilitate electronic filing of documents with Government departments
(d) To facilitate electronic storage of data.
(e) To facilitate and give legal sanction to electronic fund transfers between banks and financial institutions.
(f) To give legal recognition for keeping books of account by Bankers in electronic form.
(g) Certifying authorities will be licensed to issue digital signature certificates and a regulatory regime will be
established to supervise the certifying authorities who will not, themselves be a part of the bureaucracy.
The Act extends to the whole of India including the State of Jammu and Kashmir. It also applies to any offence
or contravention committed under the Act outside India by any person. However, this is subject to certain
conditions.
Documents excluded from the purview of the Act and justification therefor
The Act does not apply to1. A Negotiable Instrument as defined in the Negotiable Instruments Act, 1881.
2. A Power of Attorney as defined in the Powers of Attorney Act, 1882. .
3. A trust as defined in the Indian Trusts Act, 1882.
4. Any contract for the sale or conveyance of immovable property or any interest in such property. Any
such class of documents or transactions as may be notified by the Central Government in the Official
Gazette. This is an enabling and residuary clause.
An Internet or network of computers can operate without constrains of space, state borders, etc. Though they
are only a medium for storage and analysis and communication of information, they virtually create a world of
their own a medium in which business can be transacted without any of the inhibitions that the real world
imposes.
The New Shorter Oxford Dictionary explains the expression cyberspace as follows:
IIPM
CH. 6
41
The notional environment within which electronic communication occurs, especially when represented as
the inside of a computer system; space perceived as such by an observer but generated by a computer
system, and having no real existence; the space of virtual reality.
Cyberspace is computer-governed environment, which does not exist in reality but yet serves many of the
purposes that the visible, tangible world serves. The Act does not mention cyberspace but dubs the Appellate
Tribunal for which it proves as Cyber Tribunal
A process used to confirm the identity of a person or to prove the integrity of information.
Message authentication involves determining its source and verifying that it has not been modified or replaced
in transit.
Any subscriber may authenticate an electronic record by affixing his digital signature. The authentication shall
be effected by the by use of asymmetric system and hash function which envelop and transform the initial
electronic record into another electronic record.
DIGITAL SIGNATURE
MESSAGE DIGEST
HASH FUNCTION
ALOGRITHM RUN
OVER AGREEMENT
CONTENT
DIGITAL CERTIFICATE
IIPM
42
CH. 6
A Personal Digital Certificate serves as the digital identity of an individual. Just as a Driver's License can be
used to identify someone who can legally drive in a particular country, a Digital Certificate can be presented
electronically to prove an individual's identity or right to access information or services on the Internet.
Digital Certificates are used to secure information and assure the identities of their owners. They also providing
a means of associating individuals with electronic documents similar to the manner in which handwritten
signatures associate individuals with the paper documents.
For a Digital Certificate to be trusted, it needs to be endorsed a recognized third party that is empowered by the
law to issue Digital Certificates.
Following steps are followed for obtaining Digital certificate:
1.
Sender sends his public key to Certification Authority along with information specific to his identification and
other relevant information.
2.
The Certification Authority uses his information to verify sender and his public key, if every thing is OK, the
Certification Authority returns the sender a Digital Certificate that confirms the validity of Sender Public Key.
3.
Actually Certification Authority certifies public key by digitally signing the sender public key with authority
private key and authority put this sign on Digital Certificate. And any user who wants to use some one's
public key can verify its validity by applying the certification authority public key to the certificate. In this way
user would get actual public key of sender and can tally this public key with the public key supplied by the
sender.
Depending on the level of trustworthiness one wants to create towards the people he/she communicates with
over the Net, the CA offers three classes of Personal Certificates:
CLASS
Class- 1
Class 2
Class - 3
UTILITY PURPOSE
Digitally sign email, Encrypt email; Authenticate to a Web Server to engage in secure communication.
This protects all information such as credit card details that one sends to the Web Server .
These certificates are not intended for, and shall not be relied upon, for commercial use where proof
of identity is required.
These Certificates are issued following a top down approach.
Issued as Managed Digital Certificates to employees/ partners/ affiliates/ customers of business and
government organizations those are ready to assume the responsibility of verifying the accuracy of
the information submitted by their employees/ partners/ affiliates/ customers.
The organization is given a Digital Certificate signed by the CA to initiate the process of issuing
Certificates to its employees/ partners/ affiliates/ customers.
The entire organization is treated as a Sub-CA/RA.
The Sub-CA/RA in turn requests the issue of Digital Certificates for employees/ partners/ affiliates/
customers of the organization from the CA.
The verification of details supplied with the request for a Digital Certificate is done by the organization
appointed as a Sub-CA/RA under the CA Trust Network
Certificates are issued to individuals, companies and government organizations. They can be used
both for personal and commercial purposes.
They are typically used for electronic commerce applications such as electronic banking, electronic
data interchange (EDI), and membership-based on-line services, where security is a major concern.
The level of trust created by the Digital Certificate is based on the authentication procedures used by
the CA to verify subscribers identity and the service guarantees offered by the CA to back up that
authentication.
Usually, the CA uses various procedures to obtain evidence of subscribers identity before issuing
you the Class-3 Certificate. During verification, the subscriber will also need to be physically present
before a Registration Authority (RA), qualified by the CA due to their neutrality and reliability. These
validation procedures provide stronger assurances of an applicant's identity.
Example TCS has been granted licence as CA (Certifying Authority). Bombay Stock Exchange
(BSE) is the RA (Registering Authority) for members of that stock exchange.
Generally, the CA offers Single Key Pair and Dual Key Pair support for Personal Digital Certificates, which can
be used for Digital Signature and Encryption purposes.
A provision is also available to back-up the credentials the subscriber has used to receive encrypted
messages/documents, so that the encrypted messages/documents can be recovered if he/she has lost the
private key or if required in his/her absence, using the backed-up credentials. This can be of great help for
LECTURES BY PROF. S N GHOSH
IIPM
43
6.3
2)
3)
4)
5)
6)
7)
Utility purpose
1)
organizations, wherein, it is necessary to recover the encrypted information received by an employee after
he/she has left the organization.
The Signing Certificate is used for preparing the Digital Signature that provides Authenticity, Non-Repudiation
and Integrity to electronic communication. The Signing Certificate can be used to digitally sign documents,
messages, email and can also be used as an identification for the electronic application and in SSL
communication with a Web Server.
Encryption key pairs that are generated at the CA end are made available to their respective owners
(subscribers) in a secure manner through strong authentication procedures.
The Encryption Certificate is used for encrypting documents, messages and other forms of electronic
communication that provide confidentiality.
This type of Certificate is backed-up. To achieve this, the credentials (Key-pairs) are generated at the CA end
unlike the other types of Certificates where the credentials (Key-pairs) are generated at the Subscriber's end.
The CA backs-up the key-pair and sends a copy to the Subscriber in a highly secure manner.
Types
CH. 6
Attribution electronic records - an electronic record shall be attributed to the originator if it was sent by
(i)
him;
(ii)
any authorized person or
(iii)
an information system programmed by or on behalf of the originator to operate automatically.
Acknowledgement of receipt - the acknowledgement of receipt of electronic record may be sent by the
address
LECTURES BY PROF. S N GHOSH
IIPM
44
CH. 6
(i)
in prescribed form or
(ii)
conduct sufficient to indicate its receipt by the addressee
(iii)
any automated communication by addressee
Circumstances where acknowledgement though not stipulated, not received after due Notice - Where
the originator has not stipulated that the electronic record shall be binding only on receipt of such
acknowledgement and the acknowledgement has not been received by the originator within the specified time
or within a reasonable time, then, the originator may give notice to the addressee stating that no
acknowledgement has been received by him and specifying a reasonable time by which the acknowledgement
must be received by him. If no acknowledgement is received within the aforesaid time limit, the originator may
after giving notice to the addressee, treat the electronic record as though it has never been sent.
Time and place of despatch and receipt of electronic record The despatch of an electronic record - when it enters a computer resource outside the control of the originator;
The time of receipt of an electronic record (i) the time when receipt occurs at the designated electronic record
resource or (ii) At the time when the electronic record is retrieved by the addressee;
Place of despatch - at the place where the originator has his usual place of business or residence.
THE CENTRAL GOVERNMENT HAS NOTIFIED RULES, REGULATIONS AND GUIDELINES FOR THE
PURPOSE OF THIS ACT.
A Controller of Certifying Authorities may be appointed by the Central Government by notification in the Official
Gazette. Deputy Controllers and Assistant Controllers may also be appointed as the Government may think fit.
The Central Government has prescribed qualifications, experience and terms and conditions of service of
Controller, Deputy Controllers and Assistant Controllers. There shall be a seal of the Office of the Controller.
The Controller may recognise any foreign Certifying Authority as a Certifying Authority. This shall however, be
done with the previous approval of the Central Government and by notification in the Official Gazette,
Any person may make an application, in the prescribed form along with requisite documents/information and
fees to the Controller for a licence to issue Digital Signature Certificates. The Controller on being satisfied may
grant licence for a prescribed period subject to specified terms and conditions. The Controller may revoke the
licence upon violation thereof by the Certifying Authority. The revocation be also publicized in the web page of
the controller.
Every Certifying Authority shall follow prescribed procedures in respect of digital signatures.
By accepting a Digital Signature Certificate the subscriber certifies to all who reasonably rely on the information
contained in the Digital Signature Certificate that---(a) the subscriber holds the private key corresponding to the public key listed in the Digital Signature
Certificate and is entitled to hold the same;
(b) all representations made by the subscriber to the Certifying Authority and all material relevant to the
information contained in the Digital Signature Certificate are true;
(c) all information in the Digital Signature Certificate that is within the knowledge of the subscriber is true.
Every subscriber shall exercise reasonable care to retain control of the private key corresponding to the public
key listed in his Digital Signature Certificate. He shall take all steps to prevent its disclosure to a person not
authorised to affix the digital signature of the subscriber.
A penalty not exceeding Rs. One Crore may be imposed as compensation for damages for doing or causing to
do the following acts without permission of the owner or any other person who is in charge of a computer,
computer system or computer network:(i)
Accesses or secures access:
(ii)
Downloads, copies or extracts any data, computer data base or information;
(iii)
Introduces introduce any virus;
LECTURES BY PROF. S N GHOSH
IIPM
(iv)
(v)
(vi)
(vii)
(viii)
45
CH. 6
Failure to file requisite Returns, Information, maintain Books or records shall entail specified penalties. And
where no penalty has been prescribed compensation damages not exceeding Rs. 25,000 may be imposed.
The Adjudicating Officer not below the rank if Director shall hold enquiry to determine whether any violation
under the Act or Rules or Regulations framed thereunder has been committed by any person. He shall have the
powers of a Civil Court.
The Cyber Regulations Appellate Tribunal has been constituted. Appeals against the orders of the Adjudicating
Officer may be preferred before this Tribunal.
The Civil Courts have been barred from entertaining any suit or proceedings in respect of any matter which an
adjudicating officer or Tribunal is empowered to handle.
An appeal shall lie to the High Court against an order or decision of the Cyber Appellate Tribunal.
Penalties (pecuniary and imprisonment) have been provided under the Act for the following types of offences:
(i)
Tampering with Computer Source Documents
(ii)
Hacking with Computer System.
(iii)
Publication or obscene information in electronic form
(iv)
Misrepresentation
(v)
Breach of Confidentiality
(vi)
Publishing False Digital Signature Certificate
(vii)
Fraudulent Publication
(viii)
Offence Committed Outside India
(ix)
Confiscation
Further any police officer not below the rank of DSP or any other authorised person may enter any public place,
search and arrest without warrant any person reasonably suspected or having committed any offence specified
under the Act.