Information Technology Act 2000

Shikha Sachdev Karan Bhatia Kunal Khatwani Akshat Agarwal Vishesh Dalal

IT Act, 2000
Enacted on 17th May 2000- India is 12th nation in the world to adopt cyber laws IT Act is based on Model law on ecommerce adopted by UNCITRAL

Objectives of the IT Act

To provide legal recognition for transactions: Carried out by means of electronic data interchange, and other means of electronic communication, commonly referred to as "electronic commerce To facilitate electronic filing of documents with Government agencies and E-Payments To amend the Indian Penal Code, Indian Evidence Act,1872, the Bankers Books Evidence Act 1891,Reserve Bank of India Act ,1934

Extent of application
Extends to whole of India and also applies to any offence or contravention there under committed outside India by any person {section 1 (2)} read with Section 75- Act applies to offence or contravention committed outside India by any person irrespective of his nationality, if such act involves a computer, computer system or network located in India

Definitions ( section 2)
"electronic record" means date, record or date generated, image or sound stored, received or sent in an electronic form or micro film or computer generated micro fiche; secure system means computer hardware, software, and procedure that(a) are reasonably secure from unauthorized access and misuse; (b) provide a reasonable level of reliability and correct operation; (c) are reasonably suited to performing the intended function; and (d) adhere to generally accepted security procedures security procedure means the security procedure prescribed by the Central Government under the IT Act, 2000. secure electronic record where any security procedure has been applied to an electronic record at a specific point of time, then such record shall be deemed to be a secure electronic record from such point of time to the time of verification

Act is not applicable to

(a) a negotiable instrument (Other than a cheque) as defined in section 13 of the Negotiable Instruments Act, 1881; (b) a power-of-attorney as defined in section 1A of the Powers-of-Attorney Act, 1882; (c) a trust as defined in section 3 of the Indian Trusts Act, 1882;

Act is not applicable to

(d) a will as defined in clause (h) of section 2 of the Indian Succession Act, 1925 including any other testamentary disposition (e) any contract for the sale or conveyance of immovable property or any interest in such property; (f) any such class of documents or transactions as may be notified by the Central Government

DIGITAL SIGNATURE AND ELECTRONIC SIGNATURE

DIGITAL SIGNATURE
Digital signature means authentication of any electronic record by a subscriber by means of an electronic method or procedure. CREATION OF DIGITAL SIGNATURE To sign an electronic record or any other item of information the signer shall first apply the hash function in the signers software. The signers software transform the hash result into a digital signature using signers private key. The digital signature shall be attached to its electronic record and stored or transmitted with the electronic record.

 Manner in which information be authenticated by means of digital signature : A digital signature shalla. Be created and verified by cryptography b. Use what is known as PUBLIC KEY CRYPTOGRAPHY. Verification of digital signature Verification means to determine whether:a. The initial electronic record was affixed. b. The initial electronic record is retained.

 DIGITAL SIGNATURE CERTIFICATE REPRESENATION UPON ISSUANCE OF DIGITAL SIGNATURE CERTIFICATE EXPIRY OF DIGITAL SIGNATURE CERTIFICATE FEES FOR ISSUE OF DIGITAL SIGNATURE CERTIFICATE CONTENT OF DIGITAL SIGNATURE CERTIFICATE

 GENERATION OF DIGITAL SIGNATURE CERTIFICATE COMPROMISE OF DIGITAL SIGNATURE CERTIFICATE SUSPENSION OF DIGITAL SIGNATURE CERTIFICATE. ARCHIVAL OF DIGITAL SIGNATURE CERTIFICATE

ELECTRONIC SIGNATURE
Electronic signature means authentication of any electronic record by a subscriber of the electronic technique specified in the second schedule and includes digital signature. The electronic signature was adopted by the United Nation Commission on International Trade Law in the year 2001 which came into force from 27.10.2009

 Rules In Respect Of Electronic Signature : Electronic Signature Certificate Certification Practice Statement SUBSCRIBER Subscriber means a person in whose name the digital/electronic signature certificate is issued. The method used to verify and authenticate the identity of a subscriber is known as Subscriber Identity Verification Method. Duties Of Subscriber 1. Generating key pair 2. On acceptance of Digital Signature Certificate 3. Control of private key

Electronic Governance & Electronic Records

Electronic Commerce
EC transactions over the Internet include
Formation of Contracts Delivery of Information and Services Delivery of Content

Future of Electronic Commerce depends on

the trust that the transacting parties place in the security of the transmission and content of their communications

Electronic World
Electronic document produced by a computer. Stored in digital form, and cannot be perceived without using a computer
It can be deleted, modified and rewritten without leaving a mark Integrity of an electronic document is genetically impossible to verify A copy is indistinguishable from the original It cant be sealed in the traditional way, where the author affixes his signature

The functions of identification, declaration, proof of electronic documents carried out using a digital signature based on cryptography.

Electronic World
Digital signatures created and verified using cryptography Public key System based on Asymmetric keys
An algorithm generates two different and related keys
Public key Private Key

Private key used to digitally sign. Public key used to verify.

Public Key Infrastructure

Allow parties to have free access to the signers public key This assures that the public key corresponds to the signers private key
Trust between parties as if they know one another

Parties with no trading partner agreements, operating on open networks, need to have highest level of trust in one another

Role of the Government

Government has to provide the definition of the structure of PKI the number of levels of authority and their juridical form (public or private certification) which authorities are allowed to issue key pairs the extent to which the use of cryptography should be authorised for confidentiality purposes whether the Central Authority should have access to the encrypted information; when and how the key length, its security standard and its time validity

Certificate based Key Management

CA
CA A B

Operated by trusted-third party - CA Provides Trading Partners Certificates Notarises the relationship between a public key and its owner

User A
CA A

User B
CA B

Section 4- Legal recognition of Electronic Records

If any information is required in printed or written form under any law the Information provided in electronic form, which is accessible so as to be usable for subsequent use, shall be deemed to satisfy the requirement of presenting the document in writing or printed form.

Sections 5, 6 & 7
Legal recognition of Digital Signatures Use of Electronic Records in Government & Its Agencies Publications of rules and regulations in the Electronic Gazette. Retention of Electronic Records Accessibility of information, same format, particulars of dispatch, origin, destination, time stamp ,etc

CCA has to regulate the functioning of CAs in the country by Licensing Certifying Authorities (CAs) under section 21 of the IT Act and exercising supervision over their activities. Certifying the public keys of the CAs, i.e. their Digital Signature Certificates more commonly known as Public Key Certificates (PKCs). Laying down the standards to be maintained by the CAs, Addressing the issues related to the licensing process

The licensing process

Examining the application and accompanying documents as provided in sections 21 to 24 of the IT Act, and all the Rules and Regulations there- under; Approving the Certification Practice Statement(CPS); Auditing the physical and technical infrastructure of the applicants through a panel of auditors maintained by the CCA.

Audit Process Adequacy of security policies and implementation thereof;

Existence of adequate physical security; Evaluation of functionalities in technology as it supports CA operations; CAs services administration processes and procedures; Compliance to relevant CPS as approved and provided by the Controller; Adequacy to contracts/agreements for all outsourced CA operations; Adherence to Information Technology Act 2000, the rules and regulations thereunder, and guidelines issued by the Controller from time-to-time.

Controller & Certifying Authorities

Controller
Appointment of controller and other officers to regulate Certifying authorities: The central Government may, appoint a Controller of Certifying Authorities for the purposes of this Act. Central government may also appoint such number of deputy controllers and assistant controllers, other officers and employees.

Functions of controller
Exercising supervision over the activities of the certifying authorities. Certifying public keys of the certifying authorities. Laying down the standards to be maintained by the certifying authorities.

Powers of controller
To delegate To investigate contraventions To give directions Access to computers and data

Licensed Certifying Authorities

Provides services to its subscribers and relying parties as per its certification practice statement (CPS) which is approved by the CCA as part of the licensing procedure.
Identification and authentication Certificate issuance Certificate suspension and revocation Certificate renewal Notification of certificate-related information Display of all these on its website Time-stamping

Securing communications
CCA in position : Root of trust, National Repository Licensed CAs Digital signatures for signing documents Certificates, CRLs for access by relying parties PKI operational Other provisions of the IT Act Cybercrimes not to go unpunished

Regulation of Certifying Authorities [Chapter IV]

The Central Government may appoint a Controller of Certifying Authority who shall exercise supervision over the activities of Certifying Authorities. Certifying Authority means a person who has been granted a licence to issue a Digital Signature Certificate. The Controller of Certifying Authority shall have powers to lay down rules, regulations, duties, responsibilities and functions of the Certifying Authority issuing Digital Signature Certificates. The Certifying Authority empowered to issue a Digital Signature Certificate shall have to procure a license from the Controller of Certifying Authority to issue Digital Signature Certificates. The Controller of Certifying Authority has prescribed detailed rules and regulations in the Act, as to the application for license, suspension of license and procedure for grant or rejection of license.

IT Act overview of other relevant provisions

Section 16- Central Government to prescribe security procedures Sec 17 to 34- Appointment and Regulation of Controller and certifying authority Sec 35 to 39- Obtaining DSC Sec 40 to 42- Duties of Subscriber of DSCexercise due care to retain the private key

Section 12- Acknowledgement of Receipt

If Originator has not specified particular methodAny communication automated or otherwise or conduct to indicate the receipt If specified that the receipt is necessary- Then unless acknowledgement has been received Electronic Record shall be deemed to have been never sent Where ack. not received within time specified or within reasonable time the originator may give notice to treat the Electronic record as though never sent.

Section 13- Dispatch of Electronic record

If addressee has a designated computer resource , receipt occurs at time ER enters the designated computer, if electronic record is sent to a computer resource of addressee that is not designated , receipt occurs when ER is retrieved by addressee If no Computer Resource designated- when ER enters Computer Resource of Addressee. Shall be deemed to be dispatched and received where originator has their principal place of business otherwise at his usual place of residence

ADJUDICATION, PENALTIES AND COMPENSATION

ADJUDICATION
Every Adjudicating Officer shall have the powers of a Civil Court which are conferred on the Cyber Appellate Tribunal and all proceedings before the Adjudicating Officer shall be deemed to be a Civil Court. [sec 46]. While Adjudging the quantum of compensation, the Adjudicating Officer shall have due regard to the following factors: I. the amount of unfair advantage, wherever quantifiable, made as a result of the default. II. The amount of the loss caused to any person as a result of the default. III. The repetitive nature of the default. [sec 47].

ADJUDICATION
Officer not below the rank of a director to the government or an equivalent officer of a State Government, possessing the prescribed experience in the field of Information technology and legal or judicial experience, shall be appointed as an Adjudicating Officer by the CG to adjudge whether any person has committed a contravention of any of the provisions of the Act, or of any rule, regulation, direction or order made thereunder which renders him liable to pay penalty or compensation The claim for injury or damage should not exceed rupees five crores. The jurisdiction in respect to claim for injury or damage exceeding rupees five crores shall vest with competent court. Person liable to pay shall be given a reasonable opportunity for making representation in the matter. After such an inquiry, if the adjudicating officer is satisfied that the person is liable to pay he may impose the penalty he thinks fit in accordance with the provisions of the applicable section

OFFENCES, COMPENSATION AND PENALTIES

1. Penalty and compensation for damage to computer, computer system etc: If any person, without permission of the owner or any other person who is incharge of the computer, computer system or computer network a. Accesses or secures access to such computer, computer system or computer network; b. Downloads, copies,extracts any data, computer database, or informaton; c. Introduces any computer virus; d. Damages or causes to damage the computer; e. Disrupts or causes disruption; f. Denies or causes to denial of access to any person authorized to access; g. Steals,conceals,destroys . (Upto 3 yrs or upto upto 5 lacs or both)

2. Compensation for failure to protect data. 3.Penalty for failure to furnish information, return,etc. 4.Penalty for securing access to a protected system.(upto10yrs +fine) 5.Tampering with computer source documents.(upto 3yrs or upto 2 lacs or both) 6.Punishment for sending offensive messages through communication service.(upto 3 yrs + fine) 7.Punishment for dishonestly receiving stolen computer resource.(upto 3 yrs + upto 1 lac or both) 8.Punishment for identity theft.(upto 3 yrs + upto 1lac) 9.Punishment for violation of privacy(upto 3 yrs or upto 2 lacs or both) 10.Punishment for cyber terrorism(upto imprisonment for life) 11.Punishment for publishing obscene material in electronic form.(upto 5 yrs + upto 5 lacs) 12.Punishment for publishing or material containing sexually expicit act, etc.(upto 7 yrs + upto 10 lacs) 13.Punishment for publishing of materail depicting children in sexually expilcit art, etc, in electronic form.(upto 5 yrs + upto 10 lacs or upto 7 yrs +upto 10 lacs)

14. Penalty for failure to comply with order or direction of controller.(upto 2 yrs or upto 1 lac or both) 15.Penalty on subscriber or intermediary failing to extend facilities and technical assistance.(upto 7 yrs + fine) 16.Penalty on Intermediary for failure to retain information.(upto 3 years + fine) 17.Penalty for misrepresentation.(upto 2 yrs or upto 1 lac or both) 18.Penalty for Publication for fraudulent purpose.(upto 2 yrs or upto 1 lac or both) 19.Residuary Penalty. (upto 25 thousand)

Shikha Sachdev

THANK YOU
Kunal Khatwani Akshat Agarwal Vishesh Dalal

Karan Bhatia