IIPM

40

CH. 6

INFORMATION TECH. ACT

CHAPTER 06
INFORMATION TECHNOLOGY ACT, 2000
6.1

INTRODUCTION

Source of the Act

The first 17 Sections of the Act are largely based on Model Law on Electronic Commerce adopted by United
Nations Commission on International Trade Law (UNCITRAL) recommended by the General Assembly of the
United Nations on the 30th January, 1997 in drafting its new law.
UNCITRAL - Model Law on Electronic Commerce
This Model Law provides for equal legal treatment of users of electronic communication and paper based
communication. The General Assembly of United Nations by its Resolution No. 51/162 dated 30th January
1997 recommended that all States should give favourable considerations to the said Model Law when they
enact or revise their laws.

The macro perspectives were:

(a) to facilitate electronic commerce among and within nations,
(b) to validate transactions entered into by means of new information technologies,
(c) to promote and encourage the implementation of new information technologies,
(d) to promote the uniformity of law: and
(e) to support commercial practice.
The micro perspectives were:
(a) to establish rules and norms that validate and recognise Contracts formed through electronic means,
(b) to set default rules for contract formation and governance of electronic contract performance,
(c) to define the characteristics of a valid electronic writing and an original document,
(d) to provide for the acceptability of electronic signatures for legal and commercial purposes, and
(e) to support the admission of computer evidence in courts and arbitration proceedings.

Objectives of the IT Act, 2000

(a) To grant legal recognition for transactions carried out by means of Electronic Data Interchange and other
means of electronic communication commonly referred to as electronic commerce in place of paperbased methods of communication.
(b) To give legal recognition to Digital Signature for authentication of any information or matter which requires
authentication under any law
(c) To facilitate electronic filing of documents with Government departments
(d) To facilitate electronic storage of data.
(e) To facilitate and give legal sanction to electronic fund transfers between banks and financial institutions.
(f) To give legal recognition for keeping books of account by Bankers in electronic form.
(g) Certifying authorities will be licensed to issue digital signature certificates and a regulatory regime will be
established to supervise the certifying authorities who will not, themselves be a part of the bureaucracy.
The Act extends to the whole of India including the State of Jammu and Kashmir. It also applies to any offence
or contravention committed under the Act outside India by any person. However, this is subject to certain
conditions.

Documents excluded from the purview of the Act and justification therefor

The Act does not apply to1. A Negotiable Instrument as defined in the Negotiable Instruments Act, 1881.
2. A Power of Attorney as defined in the Powers of Attorney Act, 1882. .
3. A trust as defined in the Indian Trusts Act, 1882.
4. Any contract for the sale or conveyance of immovable property or any interest in such property. Any
such class of documents or transactions as may be notified by the Central Government in the Official
Gazette. This is an enabling and residuary clause.

An Internet or network of computers can operate without constrains of space, state borders, etc. Though they
are only a medium for storage and analysis and communication of information, they virtually create a world of
their own a medium in which business can be transacted without any of the inhibitions that the real world
imposes.
The New Shorter Oxford Dictionary explains the expression cyberspace as follows:

CYBER SPACE MEANING THEREOF

LECTURES BY PROF. S N GHOSH

IIPM

CH. 6

41

INFORMATION TECH. ACT

The notional environment within which electronic communication occurs, especially when represented as
the inside of a computer system; space perceived as such by an observer but generated by a computer
system, and having no real existence; the space of virtual reality.
Cyberspace is computer-governed environment, which does not exist in reality but yet serves many of the
purposes that the visible, tangible world serves. The Act does not mention cyberspace but dubs the Appellate
Tribunal for which it proves as Cyber Tribunal

6.2 AUTHENTICATION OF ELECTRONIC RECORDS USING DIGITAL SIGNATURES

[SECTION 3]
What is `Authentication`

A process used to confirm the identity of a person or to prove the integrity of information.
Message authentication involves determining its source and verifying that it has not been modified or replaced
in transit.
Any subscriber may authenticate an electronic record by affixing his digital signature. The authentication shall
be effected by the by use of asymmetric system and hash function which envelop and transform the initial
electronic record into another electronic record.

DIGITAL SIGNATURE

The digital signature is created in two distinct steps.

(i) Firstly - the electronic record is converted into a message digest by using a mathematical function known
as hash function which digitally freezes the electronic record thus ensuring the integrity of the content of
the intended communication.
(ii) Secondly, the identity of the person affixing the digital signature is authenticated through the use of a
private key which attaches itself to the message digest and which can be verified by any person who has
the public key according to such private key. This will enable any person to verify whether the electronic
record is retained intact or has been tampered with. It will also enable a person who has a public key to
identify the originator of the electronic message.
'Hash function' - an algorithm mapping or translation of one sequence of bits into another (generally smaller) set
known as 'hash result' such that an electronic record yields the same hash result every time the algorithm is
executed with the same electronic record as its input making it computationally infeasible:
(a) to derive or reconstruct the original electronic record from the hash result produced by the algorithm, and
(b) that two electronic records can produce the same hash result using the algorithm.
CONTENT
OF
AGREEMENT
TO
BE
SIGNED
ELECTRONICALLY

MESSAGE DIGEST

HASH FUNCTION
ALOGRITHM RUN
OVER AGREEMENT
CONTENT

MESSAGE DIGEST ENCRYPTED WITH

PRIVATE KEY OF SENDER GENERATE
DIGITAL SIGNATURE WHICH ARE
EMBOSSED ON THE AGREEMENT

RECEIVER AGAIN GENERATES THE MESSAE DIGEST

BY RUNNING HASH FUNCTION ALOGRITH OVER THE
ORIGINAL CONTENT OF MESSAGE AND IF MESSAGE
DIGEST GENERATED AFTER DECRYPTING DIGITAL
SIGNATURE OF SENDER WITH SENDER PUBLIC KEY,
IT PROVES THAT THE CONTENTS ARE NOT
CHANGED AND SIGNATURE BELONGS TO THE

AT RECEIVER DIIGTAL SIGNATURE ARE

DECRYPTED WITH SENDER PUBLIC KEY AND
IT GENERTAE MESSAGE DIGEST

DIGITAL CERTIFICATE

A Digital Certificate is a digital representation of information which at least

(1) identifies the certification authority issuing it,
(2) names or identifies its Subscriber,
(3) contains the Subscriber's public key,
(4) identifies its operational period, and
(5) is digitally signed by the certification authority issuing it.
A Digital Certificate is a data structure used in a public key system to bind a particular, authenticated individual
to a particular public key.
LECTURES BY PROF. S N GHOSH

IIPM

42

CH. 6

INFORMATION TECH. ACT

A Personal Digital Certificate serves as the digital identity of an individual. Just as a Driver's License can be
used to identify someone who can legally drive in a particular country, a Digital Certificate can be presented
electronically to prove an individual's identity or right to access information or services on the Internet.
Digital Certificates are used to secure information and assure the identities of their owners. They also providing
a means of associating individuals with electronic documents similar to the manner in which handwritten
signatures associate individuals with the paper documents.
For a Digital Certificate to be trusted, it needs to be endorsed a recognized third party that is empowered by the
law to issue Digital Certificates.
Following steps are followed for obtaining Digital certificate:
1.
Sender sends his public key to Certification Authority along with information specific to his identification and
other relevant information.
2.
The Certification Authority uses his information to verify sender and his public key, if every thing is OK, the
Certification Authority returns the sender a Digital Certificate that confirms the validity of Sender Public Key.
3.
Actually Certification Authority certifies public key by digitally signing the sender public key with authority
private key and authority put this sign on Digital Certificate. And any user who wants to use some one's
public key can verify its validity by applying the certification authority public key to the certificate. In this way
user would get actual public key of sender and can tally this public key with the public key supplied by the
sender.
Depending on the level of trustworthiness one wants to create towards the people he/she communicates with
over the Net, the CA offers three classes of Personal Certificates:
CLASS

Class- 1

Class 2

Class - 3

UTILITY PURPOSE

Digitally sign email, Encrypt email; Authenticate to a Web Server to engage in secure communication.
This protects all information such as credit card details that one sends to the Web Server .
These certificates are not intended for, and shall not be relied upon, for commercial use where proof
of identity is required.
These Certificates are issued following a top down approach.
Issued as Managed Digital Certificates to employees/ partners/ affiliates/ customers of business and
government organizations those are ready to assume the responsibility of verifying the accuracy of
the information submitted by their employees/ partners/ affiliates/ customers.
The organization is given a Digital Certificate signed by the CA to initiate the process of issuing
Certificates to its employees/ partners/ affiliates/ customers.
The entire organization is treated as a Sub-CA/RA.
The Sub-CA/RA in turn requests the issue of Digital Certificates for employees/ partners/ affiliates/
customers of the organization from the CA.
The verification of details supplied with the request for a Digital Certificate is done by the organization
appointed as a Sub-CA/RA under the CA Trust Network
Certificates are issued to individuals, companies and government organizations. They can be used
both for personal and commercial purposes.
They are typically used for electronic commerce applications such as electronic banking, electronic
data interchange (EDI), and membership-based on-line services, where security is a major concern.
The level of trust created by the Digital Certificate is based on the authentication procedures used by
the CA to verify subscribers identity and the service guarantees offered by the CA to back up that
authentication.
Usually, the CA uses various procedures to obtain evidence of subscribers identity before issuing
you the Class-3 Certificate. During verification, the subscriber will also need to be physically present
before a Registration Authority (RA), qualified by the CA due to their neutrality and reliability. These
validation procedures provide stronger assurances of an applicant's identity.
Example TCS has been granted licence as CA (Certifying Authority). Bombay Stock Exchange
(BSE) is the RA (Registering Authority) for members of that stock exchange.

Types of Digital Certificates

Generally, the CA offers Single Key Pair and Dual Key Pair support for Personal Digital Certificates, which can
be used for Digital Signature and Encryption purposes.
A provision is also available to back-up the credentials the subscriber has used to receive encrypted
messages/documents, so that the encrypted messages/documents can be recovered if he/she has lost the
private key or if required in his/her absence, using the backed-up credentials. This can be of great help for
LECTURES BY PROF. S N GHOSH

IIPM

43

Single Key Pair

6.3

2)
3)

4)

5)
6)
7)

Utility purpose

In the Single Key pair option, Digital Certificates can be

used for signing and/or encryption. The credentials used
for encryption are not backed-up.
In the Dual Key pair option, the credentials used for
encryption are backed-up. The credentials used for
Digital Signature are not backed-up as that would violate
the notion of Authentication and Non-Repudiation.

Dual Key Pair

1)

INFORMATION TECH. ACT

organizations, wherein, it is necessary to recover the encrypted information received by an employee after
he/she has left the organization.
The Signing Certificate is used for preparing the Digital Signature that provides Authenticity, Non-Repudiation
and Integrity to electronic communication. The Signing Certificate can be used to digitally sign documents,
messages, email and can also be used as an identification for the electronic application and in SSL
communication with a Web Server.
Encryption key pairs that are generated at the CA end are made available to their respective owners
(subscribers) in a secure manner through strong authentication procedures.
The Encryption Certificate is used for encrypting documents, messages and other forms of electronic
communication that provide confidentiality.
This type of Certificate is backed-up. To achieve this, the credentials (Key-pairs) are generated at the CA end
unlike the other types of Certificates where the credentials (Key-pairs) are generated at the Subscriber's end.
The CA backs-up the key-pair and sends a copy to the Subscriber in a highly secure manner.
Types

CH. 6

SOME IMPORTANT LEGAL PROVISIONS

ELECTRONIC GOVERNANCE [SECTIONS 4 TO 10]

The Act provides following legal protection for filing, retention, preservation, payment etc. in the
electronic/digital modes: Legal recognition of electronic records all documents that are required to be in writing or typewritten or
printed form, can now be made available and subsequently accessible in an electronic form.
Legal recognition of digital signatures all documents that require signature (manual) can now be
authenticated by means of digital signature affixed.
Filing of applications, forms, fees payment to Govt. in prescribed electronic mode all the applications,
documents/information for grant of licence, permit, sanction, approval, receipt or payment of money may now
be filed/made with Government or its agencies in the electronic mode. The Government has prescribed rules
and forms for the purpose.
Retention and retrieval of electronic records documents, records or information that required to be
retained can now retained in the electronic form. Such information shall remain accessible and usable for a
subsequent reference; retained in the format as was originally generated. The details facilitating the
identification of the origin, destination date and time of despatch or receipt of such electronic record shall also
be made available.
Publication of rule, regulation, etc., in Electronic Gazette - the Official Gazette shall also be published in
the electronic mode. Such Gazette will be called `Electronic Gazette`. The date of publication shall be the date
of the Gazette, which was first published in any form.
No right to insist acceptance, retention or preservation of document in electronic form The Central or
State Government or its agencies shall not insist that documents/information shall exclusively be in electronic
form.
Power to make rules by Central Government in respect of digital signature - The Central Government
has been authorized to prescribed rules of types, manner, format, control, integrity, security and confidentially of
digital signatures and electronic records.

ATIRIBUTION, ACKNOWLEDGEMENT AND DESPATCH OF ELECTRONIC RECORDS

[SECTIONS 11 TO 16]

Attribution electronic records - an electronic record shall be attributed to the originator if it was sent by
(i)
him;
(ii)
any authorized person or
(iii)
an information system programmed by or on behalf of the originator to operate automatically.
Acknowledgement of receipt - the acknowledgement of receipt of electronic record may be sent by the
address
LECTURES BY PROF. S N GHOSH

IIPM

44

CH. 6

INFORMATION TECH. ACT

(i)
in prescribed form or
(ii)
conduct sufficient to indicate its receipt by the addressee
(iii)
any automated communication by addressee
Circumstances where acknowledgement though not stipulated, not received after due Notice - Where
the originator has not stipulated that the electronic record shall be binding only on receipt of such
acknowledgement and the acknowledgement has not been received by the originator within the specified time
or within a reasonable time, then, the originator may give notice to the addressee stating that no
acknowledgement has been received by him and specifying a reasonable time by which the acknowledgement
must be received by him. If no acknowledgement is received within the aforesaid time limit, the originator may
after giving notice to the addressee, treat the electronic record as though it has never been sent.
Time and place of despatch and receipt of electronic record The despatch of an electronic record - when it enters a computer resource outside the control of the originator;
The time of receipt of an electronic record (i) the time when receipt occurs at the designated electronic record
resource or (ii) At the time when the electronic record is retrieved by the addressee;
Place of despatch - at the place where the originator has his usual place of business or residence.
THE CENTRAL GOVERNMENT HAS NOTIFIED RULES, REGULATIONS AND GUIDELINES FOR THE
PURPOSE OF THIS ACT.

REGULATION OF CERTIFYING AUTHORITIES [SECTIONS 17 TO 42]

Appointment, functions and powers of Controller of Certifying Authorities

A Controller of Certifying Authorities may be appointed by the Central Government by notification in the Official
Gazette. Deputy Controllers and Assistant Controllers may also be appointed as the Government may think fit.
The Central Government has prescribed qualifications, experience and terms and conditions of service of
Controller, Deputy Controllers and Assistant Controllers. There shall be a seal of the Office of the Controller.
The Controller may recognise any foreign Certifying Authority as a Certifying Authority. This shall however, be
done with the previous approval of the Central Government and by notification in the Official Gazette,
Any person may make an application, in the prescribed form along with requisite documents/information and
fees to the Controller for a licence to issue Digital Signature Certificates. The Controller on being satisfied may
grant licence for a prescribed period subject to specified terms and conditions. The Controller may revoke the
licence upon violation thereof by the Certifying Authority. The revocation be also publicized in the web page of
the controller.
Every Certifying Authority shall follow prescribed procedures in respect of digital signatures.
By accepting a Digital Signature Certificate the subscriber certifies to all who reasonably rely on the information
contained in the Digital Signature Certificate that---(a) the subscriber holds the private key corresponding to the public key listed in the Digital Signature
Certificate and is entitled to hold the same;
(b) all representations made by the subscriber to the Certifying Authority and all material relevant to the
information contained in the Digital Signature Certificate are true;
(c) all information in the Digital Signature Certificate that is within the knowledge of the subscriber is true.
Every subscriber shall exercise reasonable care to retain control of the private key corresponding to the public
key listed in his Digital Signature Certificate. He shall take all steps to prevent its disclosure to a person not
authorised to affix the digital signature of the subscriber.

Controller to act as repository

The Controller shall be repository of all Digital Signature Certificates.

Further to ensure that the secrecy and security of the digital signatures the Controller shall make use of
appropriate hardware, software and procedures to prevent intrusion and misuse.
The Controller shall maintain a computerised database of all public keys and the same be available to any
member of the public.

PENALTIES AND ADJUDICATION [SECTIONS 43 TO 47]

Penalty for damage to computer, computer system, etc.

A penalty not exceeding Rs. One Crore may be imposed as compensation for damages for doing or causing to
do the following acts without permission of the owner or any other person who is in charge of a computer,
computer system or computer network:(i)
Accesses or secures access:
(ii)
Downloads, copies or extracts any data, computer data base or information;
(iii)
Introduces introduce any virus;
LECTURES BY PROF. S N GHOSH

IIPM

(iv)
(v)
(vi)
(vii)
(viii)

45

CH. 6

INFORMATION TECH. ACT

Damages any database or any other programmes;

Disrupts any computer, computer system or computer network;
Denies access to any authorised person
Provides any assistance to any person to facilitate access;
Charges the services availed of by a person to the account of another person.

Penalty for failure to furnish information, return, etc.

Failure to file requisite Returns, Information, maintain Books or records shall entail specified penalties. And
where no penalty has been prescribed compensation damages not exceeding Rs. 25,000 may be imposed.

Adjudicating Officer (not below the rank of Director) to adjudicate

The Adjudicating Officer not below the rank if Director shall hold enquiry to determine whether any violation
under the Act or Rules or Regulations framed thereunder has been committed by any person. He shall have the
powers of a Civil Court.

The Cyber Regulations Appellate Tribunal has been constituted. Appeals against the orders of the Adjudicating
Officer may be preferred before this Tribunal.
The Civil Courts have been barred from entertaining any suit or proceedings in respect of any matter which an
adjudicating officer or Tribunal is empowered to handle.
An appeal shall lie to the High Court against an order or decision of the Cyber Appellate Tribunal.

CYBER REGULATIONS APPELLATE TRIBUNAL [SECTIONS 48 TO 64]

COMPUTER OFFENCES [SECTION 65 TO 68]

Penalties (pecuniary and imprisonment) have been provided under the Act for the following types of offences:
(i)
Tampering with Computer Source Documents
(ii)
Hacking with Computer System.
(iii)
Publication or obscene information in electronic form
(iv)
Misrepresentation
(v)
Breach of Confidentiality
(vi)
Publishing False Digital Signature Certificate
(vii)
Fraudulent Publication
(viii)
Offence Committed Outside India
(ix)
Confiscation
Further any police officer not below the rank of DSP or any other authorised person may enter any public place,
search and arrest without warrant any person reasonably suspected or having committed any offence specified
under the Act.

LECTURES BY PROF. S N GHOSH