Connectivity via the Internet has greatly a bridged geographical distances and made communication even more rapid. While activities in this limitless new universe are increasing incessantly, the need for laws to be formulated to govern all spheres of this new revolution was felt. In order to keep pace with the changing generation the Indian Parliament passed Information Technology (IT) Act, 2000. The IT Act has been conceptualised on the United Nations Commission on International Trade Law (UNCITRAL) Model Law.
The Act aims at providing legal recognition for transactions carried out by means of electronic data interchange and other means of electronic communications commonly referred to as "electronic commerce" which involve the use of alternative to paper based methods of communication and storage of information and aims at facilitating electronic filing of documents with the government agencies.
The Act applies to the whole of India. It also applies to any offence committed outside India by any person. It does not apply to the following.
- a negotiable instrument as defined in section 13 of the Negotiable Instruments Act, 1881;
- a power-of-attorney as defined in section 1A of the Power-of-attorney Act, 1882;
- a trust as defined in section 3 of the Indian Trusts Act, 1882;
- a will as defined in section 2 (h) of the Indian Succession Act, 1925 (39 of 1925) including any other testamentary disposition by whatever name called;
- any contract for the sale or conveyance of immovable property or any interest in such property;
- any such class of documents or transactions as may be notified by the Central Government in the Official Gazette.
Digital Signatures: Legitimacy and use
The Act has adopted the Public Key Infrastructure (PKI) for securing electronic transactions. A digital signature means an authentication of any electronic record by a subscriber by means of an electronic method or procedure in accordance with the other provisions of the Act. Thus a subscriber can authenticate an electronic record by affixing his digital signature. A private key is used to create a digital signature whereas a public key is used to verify the digital signature and electronic record. They both are unique for each subscriber and together form a functioning key pair. Further, the Act provides that when any information or other matter needs to be authenticated by the signature of a person, the same can be authenticated by means of the digital signature affixed in a manner prescribed by the Central Government. The Act also gives the Central Government powers:
- to make rules prescribing the digital signature b) the manner in which it shall be affixed c) the procedure to identify the person affixing the signatured) the maintenance of integrity, security and confidentiality of records or
payments and rules regarding any other appropriate matters.
These signatures are to be authenticated by Certifying Authorities (CAs) appointed under the Act. These authorities would inter alia, have the license to issue Digital Signature Certificates (DSCs). The applicant must have a private key that can create a digital signature. This private key and the public key listed on the DSC must form the functioning key pair.
Once the subscriber has accepted the DSC, he shall generate the key pair by applying the security procedure. Every subscriber is under an obligation to exercise reasonable care and caution to retain control of the private key corresponding to the public key listed in his DSC. The subscriber must take all precautions not to disclose the private key to any third party. If however, the private key is compromised, he must communicate the same to the Certifying Authority (CA) without any delay.
Dispatch & acknowledgement- electronic records
All electronic records sent by an originator, his agent or an information system programmed by or on his behalf are attributable to him.
Where the originator has not agreed with the addressee that the acknowledgement of receipt of electronic data shall be given in a manner, the acknowledgement may be given by
- Any communication by the addressee, automated or otherwise; or
Any conduct of the addressee, sufficient to indicate to the originator that the electronic record has been received.
Where the originator had stipulated that it shall be binding only on receipt of acknowledgement, then unless acknowledgement has been received, it shall mean that the electronic data was never sent.
Where no such stipulation was made, then the originator may give a notice to the addressee stating that no such acknowledgement has been received and specifying a time by which the acknowledgement must be received by him, if still no acknowledgement is received, he may after giving notice to the addressee treat the electronic data as never sent
- Unless otherwise agreed the dispatch of an electronic record occurs when it enters a computer resource outside the control of the originator.
- Unless otherwise agreed the time of receipt of electronic record shall be determined as follows:
- if the addressee has designated a computer resource for the purpose of receiving electronic records-
- receipt occurs at the time when the electronic record enters the designated computer resource; or
- if the electronic is sent to a resource that is not designated, receipt occurs when it is retrieved by the addressee
The Act is formulated to tackle various offences. Offences investigated and adjudicated upon by an adjudicating officer, certain offences have been specifically set out such as:
- Tempering with the computer source documents. Whoever knowingly or intentionally conceals, destroys, or alters or causes another to do the same any computer source code used for a computer, computer programme, computer system or computer network, shall be punishable with imprisonment up to three years, or with fine upto Rs. 2 lakhs or with both.
- Whoever commits hacking of the computer system shall be punished with imprisonment up to three years, or with fine upto Rs. 2 lakhs or with both.
- Whoever publishes or transmits or cause to be published any matter which is obscene, shall be punished on first conviction with imprisonment may extend upped five years with a fine of upped RS. 1,00,000 (for second and subsequent convictions, imprisonment of upped 10 years and a fine of upped RS. 2,00,000)
- The government may notify certain computer systems or networks as being "protected systems", unauthorized access to which may be punishable with imprisonment upped 10 years in addition to a fine.
- Whoever makes a misrepresentation to, or suppresses any material fact from the Controller of Certifying Authorities and whoever commits breach of confidentiality and privacy, having access to electronic data under the Act shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to RS. 1,00,000 or with both.
- Penalties have also been prescribed for publishing false digital signature certificates or for use of such certificates for fraudulent and unlawful purposes, which is imprisonment for a term which may extend to two years, or with fine which may extend to Rs. 1,00,000 or with both.
OFFENCES OUTSIDE INDIA
The provisions of the Act shall also apply to offences or contravention outside India, if such offences or contravention involves a computer, computer system or computer network located in India.
The Act provides the following:
- Damages by way of compensation not exceeding Rs. 10 million may be imposed for unauthorized access, unauthorized downloading or copying of data, introduction of computer viruses or contaminants, disruption of systems, denial of access or tampering with or manipulating any computer/network.
- The Act does provide that no penalty imposed under the Act shall prevent imposition of any other punishments attracted under any other law for the time being in force.
- Penalty for failure to furnish information, to file returns and for contravention of rules and regulations prescribed is a sum not exceeding Rs. 10,000
- Officers not below the rank of directors in the central or state governments will be appointed to act as adjudicating officers in respect of the aforesaid offences.
Cyber regulations tribunal (CRAT)
A Cyber Regulations Appellate Tribunal (CRAT) is to be set up for appeals from the order of any adjudicating officer. It consists of one person only- the Presiding Officer.
No appeal shall lie from an order made by an adjudicating officer with the consent of the parties.
Every appeal must be filed within a period of forty-five days from the date on which the person aggrieved receives a copy of the order made by the adjudicating officer.
The appeal must be in appropriate form and accompanied by the prescribed fee. An appeal may be allowed after the expiry of forty-five days if "sufficient cause" is shown.
The appeal filed before the Cyber Appellate Tribunal shall be dealt with by it as expeditiously as possible and endeavor shall be made by it to dispose of the appeal finally within six months from the date of receipt of the appeal. The CRAT shall also have certain powers of a civil court.
As per the Act, no court shall have the jurisdiction to entertain any matter that can be decided by the adjudicating officer or the CRAT. However, a provision has been made to appeal from the decision of the CRAT to the High Court within sixty days of the date of communication of the order or decision of the CRAT. The stipulated period may be extended if sufficient cause is shown. The appeal may be made on either any question of law or question of fact arising from the order.
Powers of police to search, arrest etc.
A police officer not below the rank of Deputy Superintendent of Police, or any other officer authorised by the Central Government has the power to enter any public place and arrest any person without a warrant if he believes that a cyber crime has been or is about to be committed.
Public place includes public conveyance, any hotel, any shop or any other place intended for use by, or accessible to the public.
On being arrested, the accused person must, without any unnecessary delay, be taken or sent to the magistrate having jurisdiction or to the officer-in-charge of a police station. The provisions of the Code of Criminal Procedure, 1973 shall apply in relation to any entry, search or arrest made by the police officer.
Network services providers/ISP
Network services providers shall not be liable under this Act for any third party information or data made available, if they prove that the offence or contravention was committed without their knowledge or that they had exercised all due diligence to prevent such offence.
Network service provider means an intermediary:
Third party information means any information dealt with by network service provider in his capacity as intermediary
Offences by companies
In respect of offences by companies, in addition to the company, every person, who at the time the contravention was committed, was in charge of, and was responsible to the company for the conduct of the business of the company, shall be guilty of the contravention, unless he proves that the contravention took place without his knowledge or that he exercised all due diligence to prevent such contravention.