CYBER LAWS

India became independent on 15th August, 1947. In the 49th year of Indian
independence, Internet was commercially introduced in our country. The
beginnings of Internet were extremely small and the growth of subscribers
painfully slow. However as Internet has grown in our country, the need has
been felt to enact the relevant Cyberlaws which are necessary to regulate
Internet in India. This need for cyberlaws was propelled by numerous
factors.

Firstly, India has an extremely detailed and well-defined legal system in

place. Numerous laws have been enacted and implemented and the foremost
amongst them is The Constitution of India. We have interalia, amongst
others, the Indian Penal Code, the Indian Evidence Act 1872, the Banker's
Book Evidence Act, 1891 and the Reserve Bank of India Act, 1934, the
Companies Act, and so on. However the arrival of Internet signalled the
beginning of the rise of new and complex legal issues. It may be pertinent to
mention that all the existing laws in place in India were enacted way back
keeping in mind the relevant political, social, economic, and cultural
scenario of that relevant time. Nobody then could really visualize about the
Internet. Despite the brilliant acumen of our master draftsmen, the
requirements of cyberspace could hardly ever be anticipated. As such, the
coming of the Internet led to the emergence of numerous ticklish legal issues
and problems which necessitated the enactment of Cyberlaws.

Secondly, the existing laws of India, even with the most benevolent and
liberal interpretation, could not be interpreted in the light of the emerging
cyberspace, to include all aspects relating to different activities in
cyberspace. In fact, the practical experience and the wisdom of judgment
found that it shall not be without major perils and pitfalls, if the existing
laws were to be interpreted in the scenario of emerging cyberspace, without
enacting new cyberlaws. As such, the need for enactment of relevant
cyberlaws.

Thirdly, none of the existing laws gave any legal validity or sanction to the
activities in Cyberspace. For example, the Net is used by a large majority of
users for email. Yet till today, email is not "legal" in our country. There is no
law in the country, which gives legal validity, and sanction to email. Courts
and judiciary in our country have been reluctant to grant judicial recognition
to the legality of email in the absence of any specific law having been
enacted by the Parliament. As such the need has arisen for Cyberlaw.

Fourthly, Internet requires an enabling and supportive legal infrastructure in

tune with the times. This legal infrastructure can only be given by the
enactment of the relevant Cyberlaws as the traditional laws have failed to
grant the same. E-commerce, the biggest future of Internet, can only be
possible if necessary legal infrastructure compliments the same to enable its
vibrant growth.

All these and other varied considerations created the conducive atmosphere
for the need for enacting relevant cyberlaws in India. The Government of
India responded by coming up with the draft of the first Cyberlaw of India -
The Information Technology Bill, 1999. One question that is often asked is
why should we have Cyberlaw in India, when a large chunk of the Indian
population is below the poverty line and is residing in rural areas ? More
than anything else, India, by its sheer numbers, as also by virtue of its
extremely talented and ever growing IT population, is likely to become a
very important Internet market in the future and it is important that we
legislate Cyberlaws in India to provide for a sound legal and technical frame
work which, in turn, could be a catalyst for growth and success of the
Internet Revolution in India.
[H

Need for Cyber Law

There are various reasons why it is extremely difficult for conventional
law to cope with cyberspace. Some of these are discussed below.
1. Cyberspace is an intangible dimension that is impossible to
govern and regulate using conventional law.
2. Cyberspace has complete disrespect for jurisdictional
boundaries. A person in India could break into a bank’s
electronic vault hosted on a computer in USA and transfer
millions of Rupees to another bank in Switzerland, all within
minutes. All he would need is a laptop computer and a cell phone.
3. Cyberspace handles gigantic traffic volumes every second.
Billions of emails are crisscrossing the globe even as we read
this, millions of websites are being accessed every minute and
billions of dollars are electronically transferred around the world
by banks every day.
4. Cyberspace is absolutely open to participation by all. A tenyear-
old in Bhutan can have a live chat session with an eightyear-
old in Bali without any regard for the distance or the
anonymity between them.
5. Cyberspace offers enormous potential for anonymity to its
members. Readily available encryption software and
steganographic tools that seamlessly hide information within
image and sound files ensure the confidentiality of information
exchanged between cyber-citizens.
6. Cyberspace offers never-seen-before economic efficiency.
Billions of dollars worth of software can be traded over the
Internet without the need for any government licenses, shipping
and handling charges and without paying any customs duty.
7. Electronic information has become the main object of cyber
crime. It is characterized by extreme mobility, which exceeds by
far the mobility of persons, goods or other services. International
computer networks can transfer huge amounts of data around the
globe in a matter of seconds.
8. A software source code worth crores of rupees or a movie can be
pirated across the globe within hours of their release.
9. Theft of corporeal information (e.g. books, papers, CD ROMs,
floppy disks) is easily covered by traditional penal provisions.
However, the problem begins when electronic records are copied
quickly, inconspicuously and often via telecommunication
facilities. Here the “original” information, so to say, remains in the
“possession” of the “owner” and yet information gets stolen.

Jurisprudence of Indian Cyber Law

The primary source of cyber law in India is the Information Technology
Act, 2000 (IT Act) which came into force on 17 October 2000.
The primary purpose of the Act is to provide legal
recognition to electronic commerce and to facilitate
filing of electronic records with the Government.
The IT Act also penalizes various cyber crimes and
provides strict punishments (imprisonment terms upto 10
years and compensation up to Rs 1 crore).
An Executive Order dated 12 September 2002 contained
instructions relating provisions of the Act with regard to
protected systems and application for the issue of a Digital
Signature Certificate.
Minor errors in the Act were rectified by the Information
Technology (Removal of Difficulties) Order, 2002
which was passed on 19 September 2002.
The IT Act was amended by the Negotiable Instruments
(Amendments and Miscellaneous Provisions) Act,
2002. This introduced the concept of electronic cheques
and truncated cheques.
Information Technology (Use of Electronic Records
and Digital Signatures) Rules, 2004 has provided the
necessary legal framework for filing of documents with the
Government as well as issue of licenses by the
Government.
It also provides for payment and receipt of fees in relation
to the Government bodies.
On the same day, the Information Technology (Certifying Authorities)
Rules, 2000 also came into force.
These rules prescribe the eligibility, appointment and
working of Certifying Authorities (CA). These rules also lay
down the technical standards, procedures and security
methods to be used by a CA.
These rules were amended in 2003, 2004 and 2006.
Note: The Act, rules, regulations, orders etc referred to
in this section are discussed in more detail in the
Chapter 3 titled “Introduction to Indian Cyber Law”.
Fundamentals of Cyber Law
- 8 - © 2008 Rohas Nagpal. All rights reserved.
Information Technology (Certifying Authority)
Regulations, 2001 came into force on 9 July 2001. They
provide further technical standards and procedures to be
used by a CA.
Two important guidelines relating to CAs were issued. The
first are the Guidelines for submission of application for
license to operate as a Certifying Authority under the IT
Act. These guidelines were issued on 9th July 2001.
Next were the Guidelines for submission of certificates
and certification revocation lists to the Controller of
Certifying Authorities for publishing in National Repository
of Digital Certificates. These were issued on 16th
December 2002.
The Cyber Regulations Appellate Tribunal (Procedure) Rules, 2000
also came into force on 17th October 2000.
These rules prescribe the appointment and working of the
Cyber Regulations Appellate Tribunal (CRAT) whose
primary role is to hear appeals against orders of the
Adjudicating Officers.
The Cyber Regulations Appellate Tribunal (Salary,
Allowances and other terms and conditions of service
of Presiding Officer) Rules, 2003 prescribe the salary,
allowances and other terms for the Presiding Officer of the
CRAT.
Information Technology (Other powers of Civil Court
vested in Cyber Appellate Tribunal) Rules 2003
provided some additional powers to the CRAT.
On 17th March 2003, the Information Technology (Qualification and
Experience of Adjudicating Officers and Manner of Holding Enquiry)
Rules, 2003 were passed.
These rules prescribe the qualifications required for
Adjudicating Officers. Their chief responsibility under the
IT Act is to adjudicate on cases such as unauthorized
access, unauthorized copying of data, spread of viruses,
denial of service attacks, disruption of computers,
computer manipulation etc.
These rules also prescribe the manner and mode of
inquiry and adjudication by these officers.
The appointment of adjudicating officers to decide the fate of multi-crore
cyber crime cases in India was the result of the public interest litigation
filed by students of Asian School of Cyber Laws (ASCL).
Fundamentals of Cyber Law
© 2008 Rohas Nagpal. All rights reserved. - 9 -
The Government had not appointed the Adjudicating Officers or the
Cyber Regulations Appellate Tribunal for almost 2 years after the
passage of the IT Act. This prompted ASCL students to file a Public
Interest Litigation (PIL) in the Bombay High Court asking for a speedy
appointment of Adjudicating officers.
The Bombay High Court, in its order dated 9th October 2002, directed the
Central Government to announce the appointment of adjudicating officers
in the public media to make people aware of the appointments. The
division bench of the Mumbai High Court consisting of Hon’ble Justice
A.P. Shah and Hon’ble Justice Ranjana Desai also ordered that the
Cyber Regulations Appellate Tribunal be constituted within a reasonable
time frame.
Following this the Central Government passed an order dated 23rd March
2003 appointing the “Secretary of Department of Information Technology
of each of the States or of Union Territories” of India as the adjudicating
officers.
The Information Technology (Security Procedure) Rules, 2004 came
into force on 29th October 2004. They prescribe provisions relating to
secure digital signatures and secure electronic records.
Also relevant are the Information Technology (Other
Standards) Rules, 2003.
An important order relating to blocking of websites was passed on
27th February, 2003.
Computer Emergency Response Team (CERT-IND) can
instruct Department of Telecommunications (DOT) to
block a website.
The Indian Penal Code (as amended by the IT Act) penalizes several
cyber crimes. These include forgery of electronic records, cyber frauds,
destroying electronic evidence etc.
Digital Evidence is to be collected and proven in court as per the
provisions of the Indian Evidence Act (as amended by the IT Act).
In case of bank records, the provisions of the Bankers’ Book Evidence
Act (as amended by the IT Act) are relevant.
Investigation and adjudication of cyber crimes is done in accordance with
the provisions of the Code of Criminal Procedure and the IT Act.
The Reserve Bank of India Act was also amended by the IT Act.
TECHNOLOGY POLICY OF INDIA

Recognizing the changing context of the scientific enterprise, and to

meet present national needs in the new era of globalisation,
Government enunciates the following objectives of its Science and
Technology Policy 2003:
Main objectives of Policy are:

• To ensure that the science and technology is fully integrated

with all spheres of national activity.
• To ensure food, agricultural, nutritional, environmental,
water, health and energy security of the people on a
sustainable basis.
• To vigorously foster scientific research in universities and
other academic, scientific and engineering institutions; and
attract the brightest young persons to careers in science and
technology.

• To mount a direct and sustained effort on the alleviation of

poverty, enhancing livelihood security, removal of hunger and
malnutrition, reduction of drudgery and regional imbalances,
both rural and urban, and generation of employment, by
using scientific and technological capabilities along with our
traditional knowledge pool.
• To promote the empowerment of women in all science and
technology activities and ensure their full and equal
participation.
• To provide necessary autonomy and freedom of functioning
for all academic and R&D institutions.
• To establish an Intellectual Property Rights (IPR) regime that
maximizes the incentives for the generation and protection of
intellectual property by all types of inventors.
• To promote international science and technology cooperation
towards achieving the goals of national development and
security, and make it a key element of our international
relations.
 • To accomplish national strategic and security-related
objectives, by using the latest advances in science and
technology

• To encourage research and application for forecasting,

prevention and mitigation of natural hazards, particularly,
floods, cyclones, earthquakes, drought and landslides

What is e-commerce?
Electronic commerce or e-commerce refers to a wide range of online business
activities
for products and services.1 It also pertains to “any form of business transaction in
which the parties interact electronically rather than by physical exchanges or direct
physical contact.”2
E-commerce is usually associated with buying and selling over the Internet, or
conducting
any transaction involving the transfer of ownership or rights to use goods or
services through a computer-mediated network.3 Though popular, this definition is
not comprehensive enough to capture recent developments in this new and
revolutionary
business phenomenon. A more complete definition is: E-commerce is the
use of electronic communications and digital information processing technology in
business transactions to create, transform, and redefine relationships for value
creation
between or among organizations, and between organizations and individuals.4
International Data Corp (IDC) estimates the value of global e-commerce in 2000 at
US$350.38 billion. This is projected to climb to as high as US$3.14 trillion by 2004.
IDC also predicts an increase in Asia’s percentage share in worldwide e-commerce
revenue from 5% in 2000 to 10% in 2004 (See Figure 1).
Figure 1. Worldwide E-Commerce Revenue, 2000 &2004
(as a % share of each country/region)
7
Asia-Pacific e-commerce revenues are projected to increase from $76.8 billion at
year-end of 2001 to $338.5 billion by the end of 2004.

Electronic data interchange (EDI) is the structured transmission of data between organizations
by electronic means. It is used to transfer electronic documents or business data from one
computer system to another computer system, i.e. from one trading partner to another trading
partner without human intervention.

It is more than mere e-mail; for instance, organizations might replace bills of lading and
even cheques with appropriate EDI messages. It also refers specifically to a family of standards,
e.g. UN/EDIFACT, ANSI X12.
EDI STANDARDS

The EDI standards were designed to be independent of communication and software

technologies. EDI can be transmitted using any methodology agreed to by the sender and
recipient. This includes a variety of technologies, including modem (asynchronous, and
bisynchronous), FTP, E-mail, HTTP, AS1, AS2, etc. It is important to differentiate between the
EDI documents and the methods for transmitting them. When they compared the bisynchronous
protocol 2400 bit/s modems, CLEO devices, and value-added networks used to transmit EDI
documents to transmitting via the Internet, some people equated the non-Internet technologies
with EDI and predicted erroneously that EDI itself would be replaced along with the non-Internet
technologies. These non-internet transmission methods are being replaced by Internet
Protocols such as FTP, telnet, and E-mail, but the EDI documents themselves still remain.

There are four major sets of EDI standards:

 The UN-recommended UN/EDIFACT is the only international standard and is

predominant outside of North America.
 The US standard ANSI ASC X12 (X12) is predominant in North America.
 The TRADACOMS standard developed by the ANA (Article Numbering Association) is
predominant in the UK retail industry.
 The ODETTE standard used within the European automotive industry

All of these standards first appeared in the early to mid 1980s. The standards prescribe the
formats, character sets, and data elements used in the exchange of business documents and
forms. The complete X12 Document List includes all major business documents, including
purchase orders (called "ORDERS" in UN/EDIFACT and an "850" in X12) and invoices (called
"INVOIC" in UN/EDIFACT and an "810" in X12).

The EDI standard says which pieces of information are mandatory for a particular document,
which pieces are optional and give the rules for the structure of the document. The standards are
like building codes. Just as two kitchens can be built "to code" but look completely different, two
EDI documents can follow the same standard and contain different sets of information. For
example a food company may indicate a product's expiration date while a clothing manufacturer
would choose to send color and size information.

EDI security

The types of security controls networks should have are crucial when your
organization adopts EDI as you and your trading partners are entrusting some
of your most crucial and confidential data to the network.
Securing an EDI system is much like securing any kind of computer network
with this difference : EDI extends to more than one company. Not only must
organizations make sure their system is secure, but their trading partners must
all do the same.

A full EDI security system should include three levels of security:

(1) Network level security

This level of security basically screens users accessing a particular network.
With a set of account/user identification codes coupled with the corresponding
passwords, authorized users will be able to log into the network and to perform
transactions (that is, sending and receiving of EDI messages) across the
network. This level of security ensures that users not registered in the EDI
network are not able to gain access to its facilities.

(2) Application level securiy

Beyond network security, application level security can also be put in place.
This level of security is usually controlled by the individual front-end EDI
application (or software).

In any given EDI application or software, there might be some data you are not
allowed to see, some you can see but not alter, some to which you can add
information and some where you can change existing information. Application
level security makes use of passwords to admit different catagories of users to
the different levels of application to which they can gain access. For example, a
clerical staff may only be given authority to key in data in an electronic
purchase order but not the authority to send the EDI document to the supplier.
A higher level managerial staff may hold a password which allows him to view
the data keyed in by the clerical staff, make the necessary corrections and send
the document out.

A system administrator is usually appointed to oversee the EDI application to

maintain a system that both identifies the data and monitors which password
holders shall be given and to decide on the kind of access to the system.

(3) Message level security

Message level security can also be put in place to combat unauthorized
disclosure of message content, non-bona fide messages, duplication, loss or
replay of messages, deletion of messages and repudiation of message
responsibility by its sender or its receiver. To counter these, EDIFACT has in
place several methods of message-level security:
(i) Encryption
The idea of data encryption is that data, whether on screen or as ASCII within a
computer system, can be totally enciphered by a transmission process, and on
receipt by an authorized user can be reconstituted into its original format.

This method of security is used to ensure confidentiality of contents and

protects against unauthorized reading, copying or disclosure of message
content.

(ii) Message authentication

Message authentication, or a MAC (Message Authentication Code), can be
applied to a whole message or only part of a message.

The idea behind the MAC process is to ensure that only authorized senders and
receivers correspond and that no one is impersonating another correspondent.

(iii) Message sequence numbers

Message sequence numbers are used to protect against duplication, addition,
deletion, loss or replay of a message.

(iv) Hashing
Hashing is a technique used to protect against modification of data.

Message content integrity can be achieved by the sender including with the
message an integrity control value (or known as hash value). The receiver of
the message computes the integrity control value of the data actually received
using the corresponding algorithms and parameters and compares the result
with the value received.

(v) Digital signatures

Digital signatures protects the sender of a message from the receiver's denial of
having received the message. The use of digital signatures can also protect the
receiver of a message from the sender's denial of having sent the message.

Protection can be achieved by the sender by including a digital signature with

the transmitted message. A digital signature is obtained by encrypting, with an
asymmetric algorithm. The digital signature can be verified by using the public
key which corresponds to the secret key used to create it. This public key may
be included with the interchange agreement signed by the parties.
Protection can be achieved by the receiver sending an acknowledgement which
includes a digital signature based on the data in the original message. The
acknowledgement takes the form of a service message from the receiver to the
sender.

The use of digital signatures provides not only non-repudiation of origin and
receipt, but also message content integrity and origin authentication.

How is e-commerce being used today?

E-commerce is just beginning to emerge as a tool that is used to help manage facilities.
The most frequent
application of e-commerce today is to purchase supplies and materials on the web from a
specific vendor.
Almost 2 out of 10 respondents indicated that their department purchases supplies and
materials on the web
“a lot.” In addition to purchasing supplies and materials, the other top uses of e-
commerce were accessing
facilities manuals, publishing static project information on the Internet, purchasing
supplies and materials
through an Internet service that connects buyers and sellers, and taking interactive
courses via the Internet.
2.