You are on page 1of 52

IT Act 2000



Scope Definitions

Issues Addressed
Administrative Authority Offences & Penalties

Checklist for Managers

Court Cases

First statute on IT in India

Influenced by the Model Law on Electronic

Commerce framed by General Assembly of UN The General Assembly of the UN had adopted the Model Law from the United Nations Commission on International Trade Law (UNCITRAL) in its General Assembly Resolution on January 30, 1997. Passed on May 15, 2000 Came into force on October 17, 2000 Latest amendment in 2008

To give a boost to the growth of electronic based

transaction To provide legal recognition e-commerce and etransactions To facilitate e-governance & prevent computer based crimes and ensure security practices and procedures Protection of Critical Information Infrastructure To stop computer crime and protect privacy of internet users To give legal recognition to digital signature for accepting any agreement via computer To facilitate electronic storage of data

Every electronic information is under the scope of

I.T. Act 2000 but following electronic transaction is not under I.T. Act 2000: The attestation for creating trust via electronic way. Physical attestation is must The attestation for making will of any body. Physical attestation by two witnesses is a must A contract of sale of any immovable property. Attestation for giving power of attorney of property is not possible via electronic record.


A person who is intended by the originator to receive

the electronic record but does not include any intermediary.

Digital Signature
means authentication of any electronic record by a

subscriber by means of an electronic method or procedure in accordance with the provisions of section 3. Sec 3

The authentication of the electronic record shall be effected by the use of asymmetric crypto system and hash function which envelop and transform the initial electronic record into another electronic record.

Asymmetric crypto system

Secure key pair

Private key to create digital signature

Public key to verify digital signature

Various Types of Crypto System

Affixing Digital Signature

Adoption of any methodology or procedure

Purpose of authenticating e-record by digital


Certifying Authority
A person with authority to grant a license to issue a

Digital Signature Certificate.

Any electronic magnetic, optical or other high-speed

data processing device or system which performs logical, arithmetic, and memory functions by manipulations of electronic, magnetic or optical impulses, and includes all input, output, processing, storage, computer software, or communication facilities which are connected or related to the computer in a computer system or computer network;

Electronic Form
With reference to information means any

information generated, sent, received or stored in media, magnetic, optical, computer memory, micro film, computer generated micro fiche or similar device;

In relation to a computer, function includes logic control arithmetical process deletion, storage and retrieval communication or telecommunication from or within a computer;

Subscriber & Verification

A person in whose name the Digital Signature Certificate

is issued; Verify : in relation to a digital signature, electronic record or public key, with its grammatical variations and cognate expressions means to determine whether (a) the initial electronic record was affixed with the digital signature by the use of private key corresponding to the public key of the subscriber; (b) the initial electronic record is retained intact or has been altered since such electronic record was so affixed with the digital signature.

Issues Addressed
Authentication of Electronic Records

Electronic Governance

Acknowledgement Electronic Records




Secure Electronic Records and Security Procedure Digital Signature Certificates

Duties of Subscribers

Authentication of Electronic Records

Any subscriber may authenticate an electronic record by

affixing his digital signature. Authentication shall be effected by the use of asymmetric crypto system and hash function which envelop and transform the initial electronic record into another electronic record. Any person by the use of a public key of the subscriber can verify the electronic record. The private key and the public key are unique to the subscriber and constitute a functioning key pair.

Electronic Governance
Legal recognition of Electronic Records Legal recognition of Digital Signatures Use of electronic records and digital signatures in Government

and its agencies The appropriate Government may, by rules, prescribe (a) the manner and format in which such electronic records shall be filed, created or issued (b) the manner or method of payment of any fee or charges for filing, creation or issue any electronic record Retention of Electronic Records Records or information are retained in the electronic form, if (a) the information contained therein remains accessible so as to be usable for a subsequent reference

(b) the electronic record is retained in the format in which it was originally generated, sent or received or in a format which can be demonstrated to represent accurately the information originally generated, sent or received (c) the details which will facilitate the identification of the origin, destination, date and time of dispatch or receipt of such electronic record are available in the electronic record Publication of rule, regulation, etc., in Electronic Gazette. Where any law provides that any rule, regulation, order, byelaw, notification or any other matter shall be published in the Official Gazette, then, such requirement shall be deemed to have been satisfied if it is published in the Official Gazette or Electronic Gazette

Attribution, Acknowledgement and Despatch of Electronic Records

Attribution of electronic records.

An electronic record shall be attributed to the originator (a) if it was sent by the originator himself; (b) by a person authorized by the (c) by an information system programmed by or on behalf of the originator to operate automatically. Acknowledgement of Receipt (a) When no agreement regarding the acknowlegement of receipt has been made (b) When it is stipulated that the electronic record shall be binding only on the acknowledgement of receipt (c) When nothing is stipulated and no acknowledgement is received within reasonable time

Time and Place of Dispatch and Receipt of Electronic Records

Dispatch Time - when it enters a computer resource outside the control of the originator Place - where the originator has his place of business Receipt Time - when the electronic record enters the designated computer resource, or when it is retrieved by the addressee Place - where the addressee has his place of business

Secure Electronic Records and Security Procedure

Security procedure

The Central Government shall for the purposes of this Act prescribe the security procedure having regard to commercial circumstances prevailing at the time when the procedure was used, including (a) the nature of the transaction; (b) the level of sophistication of the parties with reference to their technological capacity; (c) the volume of similar transactions engaged in by other parties; (d) the availability of alternatives offered to but rejected by any party; (e) the cost of alternative procedures; and (f) the procedures in general use for similar types of transactions or communications.

Secure electronic record

Where any security procedure has been applied to an electronic record at a specific point of time, then such record shall be deemed to be a secure electronic record from such point of time to the time of verification. Secure digital signature If, by application of a security procedure agreed to by the parties concerned, it can be verified that a digital signature, at the time it was affixed, was (a) unique to the subscriber affixing it; (b) capable of identifying such subscriber; (c) created in a manner or using a means under the exclusive control of the subscriber and is linked to the electronic record to which it relates in such a manner that if the electronic record was altered the digital signature would be invalidated, then such digital signature shall be deemed to be a secure digital signature.

Digital Signature Certificates

Any person may make an application to the Certifying Authority for issue of

Digital Signature Certificate. The Certifying Authority while issuing such certificate shall certify that it has complied with the provisions of the Act.
The Certifying Authority has to ensure that the subscriber holds the private

key corresponding to the public key listed in the Digital Signature Certificate and such public and private keys constitute a functioning key pair.
The Certifying Authority has the power to suspend or revoke Digital

Signature Certificate.

Duties of Subscribers
Generating key pair Acceptance of Digital Signature Certificate A subscriber shall be deemed to have accepted a Digital Signature

Certificate if he publishes or authorizes the publication of a Digital Signature Certificate (a) to one or more persons; (b) in a repository, or otherwise demonstrates his approval of the Digital Signature Certificate in any manner. By accepting a Digital Signature Certificate the subscriber certifies to all who reasonably rely on the information contained in the Digital Signature Certificate that (a) the subscriber holds the private key corresponding to the public key (b) all representations made by the subscriber to the Certifying Authority and all material relevant to the information contained in the Digital Signature Certificate are true;

Control of private key Every subscriber shall exercise reasonable care to retain control of the

private key corresponding to the public key listed in his Digital Signature Certificate If the private key has been compromised, then the subscriber shall communicate the same without any delay to the Certifying Authority in such manner as may be specified by the regulations.

Enforcement Auditors Controller of certifying authorities Administrative Certifying Authorities IT Dept of the government of India Advisory Central government Cyber Regulations Advisory Committee

Cyber Regulation Appellate Tribunal

Offenses & Penalty

Section 43

Offense Penalty for damage of computer system Failure to furnish information return etc, Residuary Penalty

Fine Upto 1 Crore

Imprisonm ent No

Both No


Upto 10K per day




Upto 25K



Section 65

Offense Tampering with computer source documents Hacking Publishing of obscene information in electronic form

Fine Upto 2Lacs

Imprisonm ent Upto 3 yrs

Both Yes

66 67

Upto 2Lacs 1L 2L

Upto 3 yrs 5 10 yrs

Yes Yes


Unauthorized access to protected system

Upto 2L

Imprisonm ent
Upto 10 yrs



Misrepresenta 1L 2L tion to the Controller or the Certifying Authority Breach of Confidentility and Privacy Publishing false digital signature certificates Publication for fraudulent purpose 1L 2L

Upto 2 yrs



Upto 2 yrs



1L 2L

Upto 2 yrs



1L 2L

Upto 2 yrs


Computer Related Crimes under IPC and Special Laws

Sending threatening messages by email

Sec 503 IPC

Sec 499, 500 IPC Sec 463, 470, 471 IPC Sec 420 IPC Sec 416, 417, 463 IPC NDPS Act Sec. 383 IPC Arms Act

Sending defamatory messages by email Forgery of electronic records Bogus websites, cyber frauds Email spoofing Online sale of Drugs Web - Jacking Online sale of Arms


Section 66: As proposed in 2006, this section combines

contraventions indicated in Section 43 with penal effect and extends the punishment from 2 lacs to 5 lacs. It also introduces the pre-conditions of "Dishonesty" and "Fraud" to the current section 66. Section 66 A: This section covers Sending of Offensive messages. Section 66B: Whoever dishonestly receives or retains any stolen computer resource or communication device knowing or having reason to believe that the same to be a stolen computer resource or communication device, shall be punished with imprisonment of either description for a term which may extend to three years or with fine which may extend to rupees one lakh or with both.

This section appears to cover theft of computer, laptop,

mobile and also information. It can be extended to theft of digital signals of TV transmission as was once envisaged under the Convergence Bill (since discarded). Section 66 C: Whoever, fraudulently or dishonestly make use of the electronic signature, password or any other unique identification feature of any other person, shall be punished with imprisonment of either description for a term that extends upto three years and shall also be liable to fine which may extend to rupees one lakh This section covers password theft which was earlier being covered under Section 66.

Section 66 D: Whoever by means of any communication

device or computer resource cheats by personation, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to one lakh rupees. This section covers Phishing which was earlier being covered under Section 66. It may also cover some kinds of e-mail related offences including harassment.

Section 66 E: Whoever, intentionally or knowingly

captures, publishes or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that persons, shall be punished with imprisonment which may extend to three years or with fine not exceeding two lakh rupees or with both. Section 67: The imprisonment term envisaged under the current ITA 2000 is reduced from 5 years to 3 years. However it is an increase from 2 years compared to ITAA 2006

Section 67A: This covers "Sexually Explicit Content" and

was introduced in ITAA 2006. Section 67B: Whoever, (a) Publishes or transmits or causes to be published or transmitted material in any electronic form which depicts children engaged in sexually explicit act or conduct or (b) Creates text or digital images, collects, seeks, browses, downloads, advertises, promotes, exchanges or distributes material in any electronic form depicting children in obscene or indecent or sexually explicit manner or


Cultivates, entices or induces children to online relationship with one or more children for and on sexually explicit act or in a manner that may offend a reasonable adult on the computer resource or (d) Facilitates abusing children online or (e) Records in any electronic form own abuse or that of others pertaining to sexually explicit act with children,

shall be punished on first conviction with imprisonment of

either description for a term which may extend to five years and with a fine which may extend to ten lakh rupees and in the event of second or subsequent conviction with imprisonment of either description for a term which may extend to seven years and also with fine which may extend to ten lakh rupees: Explanation: For the purposes of this section, "children" means a person who has not completed the age of 18 years. This section covers "Child Pornography"

Facebook Bal Thakare Post

One girl posted on facebook calling Maharashtra

Bandh due to sad demise of Bal Thakare unfair Her friend liked this comment One of the Shiv Sainik leader came to know this and lodged a complain against these two girls and police arrested them on the basis of Sec 66A of IT Act Shiv Sena vandalised her uncles clinic The girls were released on bail

Plagiarism Controversy @ IIMA

Somebody sent offensive emails to The Director &

other faculty members of the institute to tarnish the image of the college. Lodged an FIR and found out that it was sent from Mr.Dass, ex-professor, was sending these emails. A suit has been filed against him according to section 66A of IT Act. He is also charged of stealing reports and content of 3 papers from the institute under section 419 of IPC.


Facts of the case:

Tata Indicom employees were arrested for manipulation of the electronic 32-bit number (ESN) programmed into cell phones that were exclusively franchised to Reliance Infocomm.The court held that such manipulation amounted to tampering with computer source code as envisaged by section 65 of the Information Technology Act, 2000.

Case Details: Reliance Infocomm launched a scheme under which a cell phone subscriber was given a digital handset worth Rs. 10,500/- as well as service bundle for 3 years with an initial payment of Rs. 3350/- and monthly outflow of Rs. 600/-. The subscriber was also provided a 1 year warranty and 3 year insurance on the handset. The condition was that the handset was technologically locked so that it would only work with the Reliance Infocomm services. If the customer wanted to leave Reliance services, he would have to pay some charges including the true price of the handset. Since the handset was of a high quality, the market response to the scheme was phenomenal.

Unidentified persons contacted Reliance customers with an offer

to change to a lower priced Tata Indicom scheme. As part of the deal, their phone would be technologically "unlocked" so that the exclusive Reliance handsets could be used for the Tata Indicom service. Reliance officials came to know about this "unlocking" by Tata employees and lodged a First Information Report (FIR) under various provisions of the Indian Penal Code, Information Technology Act and the Copyright Act. The police then raided some offices of Tata Indicom in Andhra Pradesh and arrested a few Tata Tele Services Limited officials for reprogramming the Reliance handsets.

Court Decided On: 29.07.2005 1.A cell phone is a computer as envisaged under the Information Technology Act. 2.ESN and SID come within the definition of "computer source code" under section 65 of the Information Technology Act. 3.When ESN is altered, the offence under Section 65 of Information Technology Act is attracted because every service provider has to maintain its own SID code and also give a customer specific number to each instrument used to avail the services provided. 4.In Section 65 of Information Technology Act the disjunctive word "or" is used in between the two phrases a. "when the computer source code is required to be kept" b. "maintained by law for the time being in force" The punishment prescribed by law for the above offence is imprisonment up to three years or a fine of Rs. 2,00,000/- or both.


Spam may be defined as Unsolicited Bulk E-mail. Almost all of us receive many unwanted mails daily. Though there are some technical measures to block them but they are still not adequate. In the absence of any adequate technical protection, stringent legislation is required to deal with the problem of spam. The Information Technology Act does not discuss the issue of spamming at all. USA and the European Union and Australia have provisions for the same. In fact Australia has very stringent spam laws under which the spammers may be fined up to 1.1 million dollars per day.


Though the Information Technology Act talks about publishing of information which is obscene in nature, it doesnt specifically define what is obscene and what may be classified as pornography. Even the punishment for pornography is not sufficient in India. In China the punishment for maintaining pornographic website is life imprisonment. It is interesting to note down that the Information Technology Act prohibits publishing of pornography but viewing of pornography is not an offence under the act.


According to scholars, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication. Phishing is typically carried out by e-mail and often directs users to enter personal and financial details at a website. There is no law against phishing in the Information Technology Act though the Indian Penal Code talks about cheating, it is not sufficient to check the activity of phishing.


Data protection laws primarily aim to safeguard the interest of the individual whose data is handled and processed by others. Internet Banking involves not just the banks and their customers, but numerous third parties too. Information held by banks about their customers, their transactions etc. changes hand several times. It is impossible for the banks to retain information within their own computer networks. High risks are involved in preventing leakage or tampering of data which ask for adequate legal and technical protection. India has no law on data protection . UK has stringent data protection laws.

Denial of service (DOS) and DDOS have not been

addressed to. Death of PING attack has also not been considered.

Also as important issues like copyright, piracy,

patents, trademark are not addressed to directly , E-commerce has not picked up even thought the act was enacted almost 12 years ago.