INFORMATION TECHNOLOGY ACT

"The modern thief can steal more with a computer than with a gun. Tomorrow's terrorist may be able to do more damage with a keyboard than with a bomb". National Research Council, "Computers at Risk", 1991.

INTRODUCTION

An Act to provide legal recognition for electronic transactions carried out by means of electronic data interchange. (Electronic Commerce or e-commerce). To give legal recognition to digital signature for accepting any agreement in electronic form. To facilitate electronic filing of documents with the Government agencies. To stop computer crime and protect privacy of internet users. To give legal recognition for keeping books of accounts by bankers and other companies in electronic form. To give more power to IPC,RBI and Indian Evidence Act for restricting electronic crime.

SCOPE
All electronic information except

A negotiable instrument (Sec 13, NIA 1881) Power of attorney (Sec 1A, PAA 1882) A trust (Sec 3, ITA 1882) A will (Sec 2, ISA 1925) Contract for sale of immovable property. Other documents notified by the Central Government in the Official Gazette.

CRYPTOGRAPHY

Cryptography is the practice and study of techniques for secure communication in the presence of third parties (called adversaries).

Adversary is a malicious entity whose aim is to prevent the users of the cryptosystem from achieving their goal (primarily privacy, integrity, and availability of data).

SYMMETRIC KEY CRYPTOGRAPHY

An encryption system in which the sender and receiver of a message share a single, common key that is used to encrypt and decrypt the message. Symmetric-key systems are simpler and faster, but their main drawback is that the two parties must somehow exchange the key in a secure way. Public-key encryption avoids this problem because the public key can be distributed in a non-secure way, and the private key is never transmitted.

PUBLIC KEY CRYPTOGRAPHY

Public-key cryptography refers to a cryptographic system requiring two separate keys, one to lock or encrypt the plaintext, and one to unlock or decrypt the cyphertext. A digital signature or digital signature scheme is a mathematical scheme for demonstrating the authenticity of a digital message or document. A valid digital signature gives a recipient reason to believe that the message was created by a known sender, and that it was not altered in transit.

ADVANTAGES OF DS

Authentication: The process of proving one's identity. Integrity: Assuring the receiver that the received message has not been altered in any way from the original. Non-repudiation: A mechanism to prove that the sender really sent this message.

DIGITAL SIGNATURES

SECRET KEY CRYPTOGRAPHY

DIGITAL SIGNATURE CERTIFICATE

WHAT A DSC CONTAINS

The owner's public key The owner's Distinguished Name

The Distinguished Name of the CA that is issuing the certificate

The date from which the certificate is valid The expiry date of the certificate A version number A serial number

E-GOVERNANCE AND ELECTRONIC RECORDS

E-COMMERCE
E-Commerce

transactions over the Internet include Formation of Contracts Delivery of Information and Services Delivery of Content

E-GOVERNANCE
Application

of ICT Aim towards making govt. services available to citizens in transparent manner. Model of e-governance: One Stop portal

ELECTRONIC RECORD
Electronic document produced by a computer. Stored in digital form, and cannot be perceived without using a computer.

Characteristics of Electronic Record: It can be deleted, modified and rewritten without leaving a mark. A copy is indistinguishable from the original. It cant be sealed in the traditional way, where the author affixes his signature.

Compliances For E-GOVERNANCE In IT ACT

Legal

Recognition of Electronic Record Legal Recognition of Digital Signatures Use of Electronic Records in Government & Its Agencies. Retention of electronic records. Power to make rules by Central Government in respect of digital signature.

Attribution Of Electronic Record

An electronic record shall be attributed to the originator in following cases: I. Sent by Himself II. Authorized person on behalf of him III. Information System on behalf of that person.

Acknowledgement Of ELECTRONIC RECORD

If

Originator has not specified particular method- Any communication automated or otherwise or conduct to indicate the receipt If specified that the receipt is necessary- Then unless acknowledgement has been received Electronic Record shall be deemed to have been never sent Where ack. not received within time specified or within reasonable time the originator may give notice to treat the Electronic record as though never sent

Dispatch Of Electronic Record

Unless

otherwise agreed dispatch occurs when ER enters resource outside the control of originator If addressee has a designated computer resource , receipt occurs at time ER enters the designated computer, if electronic record is sent to a computer resource of addressee that is not designated , receipt occurs when ER is retrieved by addressee If no computer resource designated- when ER enters computer resource of addressee, it shall be deemed to be received by the addressee.

CASE IN POINT : NDMC ELECTRICITY BILLING FRAUD CASE

A private contractor was to deal with receipt and accounting of electricity bills by the NDMC, Delhi. Collection of money, computerized accounting, record maintenance and remittance in the bank was his responsibility. He misappropriated huge amount of funds by manipulating data files to show less receipt and bank remittance.

SECURE ELECTRONIC RECORDS AND SECURE DIGITAL SIGNATURES

DEFINITIONS
security procedure means the security procedure prescribed by the Central Government under the IT Act, 2000. secure electronic record where any security procedure has been applied to an electronic record at a specific point of time, then such record shall be deemed to be a secure electronic record from such point of time to the time of verification

SECURE DIGITAL SIGNATURE

If by application of a security procedure agreed to by the parties concerned, it can be verified that a digital signature, at the time it was affixed, was: (a) unique to the subscriber affixing it; (b) capable of identifying such subscriber; (c) linked to the electronic record to which it relates in such a manner that if the electronic record was altered the digital signature would be invalidated, then such digital signature shall be deemed to be a secure digital signature.

"Certifying Authority" means a person who has been granted a licence to issue a Digital Signature Certificate Controller is appointed by Central Government as a body to supervise the working of certifying authorities.

Certifying authority to follow certain procedures

Use hardware, software and procedures that are secure Should provide reliable services Adhere to security procedure so assure the security and privacy of the digital signature

Functions of Controller
Shall exercise supervision over the activities of Certifying

Authorities Lay down standards and conditions governing Certifying Authorities Specify various forms and content of Digital Signature Certificates

Power to delegate

Controller can authorize the Deputy/Assistant controller or any other officer to exercise any power of the controller

Power to investigate contraventions

Controller or any authorized officer can take up investigation under this Act

Access to computer and data

If Controller or any authorized officer have reasonable confidence of any violation of the act by a person, can access the computer, network and other hardware of that person

Controller to act as repository

Repository of Digital Signature issued by certifying authorities Maintain the secrecy and security of digital signature Maintain a database of Public key and should be accessible to public

Licence to issue Digital Signature Certificates

Any person can apply for the licence Successful applicant needs proper qualification, expertise, manpower, financial resources and other infrastructure facilities Valid for some period as prescribed by Central government Not transferable or heritable Subjected to term and conditions specified by regulators

Procedure for grant or rejection of licence

Controller can reject the application based on the documents provided But it should give applicant an opportunity to present his/her case before rejecting the licence

Suspension of licence
Incorrect or false material failed to comply with terms and conditions failed to maintain the standards violation of any provision of this Act

Notice of suspension or revocation of licence

Should publish the notice in database maintained the database should be accessible to applicant through web site or any other mean

Display of Licence . Certifying Authority shall display the licence in the premises where it
carries the business

Surrender of Licence
Should surrender the licence after it is suspended or revoked Otherwise, the person on whose name licence is issued shall be punished with imprisonment up to six months or fine up to 10K or both

Disclosure

Certifying authorities should disclose its Digital Signature used to digitally sign the other Digital Signature Certificates notice of suspension or revocation, if any any fact that affect the reliability or service of the Certifying Authority

Any event or situation which may adversely affect computer system or the conditions subject to which Digital Signature was granted, then Certifying Authority shall use reasonable efforts to notify the person who is likely to affected by it use the specified procedures to deal with the situation.

PENALITIES AND ADJUDICATION

Penalty for damage to computer, computer system, etc.

If any person without any permission from the owner or any other person who is in charge of a computer, computer system or computer network, Accesses to such computer. Downloads, copies or extracts any data. Introduces any computer virus. Causes damage to computer or data inside it. Causes disruption of any computer. Causes the denial of access to any authorized person. Tampering with the account of any person. He shall be liable to pay damages by way of compensation not exceeding one crore rupees to the person so affected.

Penalty for failure to furnish information return etc.,

If any person who is required under this act or any rules or regulations made there under to Fails to furnish the document to the Controller. Fails to furnish the document in the specified time period. Fails to maintain account books or records.

Penalty for sending obscene emails

Sending obscene emails are punishable under Section 67 of the IT Act. First conviction imprisonment for a term of five years and a fine upto 1 lakh rupees.

If convicted a second time imprisonment may extend upto 10 yrs and fine upto 2 lakh rupees.

STATE OF TAMIL NADU VS SUHAS KATTI CONVICTION

The case related to posting of obscene, defamatory and annoying message about a divorcee woman in the yahoo message group. EMails were also forwarded to the victim for information by the accused through a false e-mail account opened by him in the name of the victim. The posting of the message resulted in annoying phone calls to the lady in the belief that she was soliciting. The accused was a known family friend of the victim and was reportedly interested in marrying her. She however married another person. This marriage later ended in divorce and the accused started contacting her once again. On her reluctance to marry him, the accused took up the harassment through the Internet.

VERDICT

the accused is convicted and is sentenced for the offence to undergo RI for 2 years under 469 IPC and to pay fine of Rs.500/-and for the offence u/s 509 IPC sentenced to undergo 1 year Simple imprisonment and to pay fine of Rs.500/- and for the offence u/s 67 of IT Act 2000 to undergo RI for 2 years and to pay fine of Rs.4000/- All sentences to run concurrently. The accused paid fine amount and he was lodged at Central Prison, Chennai. This is considered as the first case convicted under section 67 of Information Technology Act 2000 in India.

Residual Penalty
Whoever contravenes any rules or regulations made under this act, for the contravention of which no penalty has been separately provided, shall be liable to pay a compensation not exceeding twenty thousand rupees to the person affected.

Act to apply for offence or contravention committed outside India

Subject to the provisions of sub-section. The provisions of this Act shall apply also to any offence or contravention committed outside India by any person irrespective of his nationality. Contravention committed outside India by any person if the act or conduct constituting the offence or contravention involves a computer, computer system or computer network located in India.

Power to Adjudicate
The officer to be appointed should have experience in the field of Information Technology and legal or judicial experience. Officer not below the rank of Director to the Government of India is appointed as an adjudicating officer. The appointed officer is given all the rights to impose the concerned penalty. Every adjudicating officer has the powers of a civil court under sub section(2) of section 58, and- All proceedings are deemed to be judicial proceedings within the meanings of sections 193 and 228 of Indian Penal Code. Are deemed to be a civil court for the purposes of sections 345 ad 346 of Code of Criminal Procedure, 1973.

Factors taken into account by adjudicating officer

While adjudging the quantum of compensation under this chapter, the adjudicating officer shall have due regard to the following factors, namely The amount of gain of unfair advantage . The amount of loss caused to any person. The repetitive nature of default.

THE CYBER REGULATION APPELLATE TRIBUNAL

ESTABLISHMENT OF CYBER APPELLATE TRIBUNAL

The Central Government establishes one or more appellate tribunals to be known as the Cyber Appellate Tribunal It has been established under the IT Act under the aegis of the Controller of Certifying Authorities (CCA) First and only CAT in the country established by the Central Government in accordance with the provision of the contained under the Section 48 (1) of the IT Act, 2000 Started functioning in Oct. 2006 in New Delhi and headed by Honble Mr Justice Rajesh Tandon The Central Government also specifies the matters and places to which the Cyber Appellate Tribunal may exercise jurisdiction The Cyber Appellate Tribunal shall consist of one presiding officer who is appointed, by notification, by the central government and any such number of other members

QUALIFICATIONS OF THE PRESIDING OFFICER

Any person is qualified for appointment to office, given that the person:
is or has been, or is qualified to be, a Judge of a High Court is or has been a member of the Indian Legal Service and is holding or has held a post in Grade I of that Service for at least three years.

The presiding officer can hold office for a term of 5 years from the date on which he enters upon his office or until he attains the age of 65 years, whichever is earlier.

FILLING OF VACANCIES

For reasons other than temporary absence, if any vacancy occurs in the office of Presiding Officer of a Cyber Appellate Tribunal, then the Central Government shall appoint another person according to the provisions of the act.

The proceedings, if any, may continue once the vacancy has been filled.

REMOVAL AND RESIGNATION

The presiding officer of CRAT may, by notice in writing to the central government, resign his office The presiding officer of Cyber Appellate Tribunal shall not be removed from his office, except by an order of the central government, on the ground of proven misbehavior or incapacity . The central government may, by rules, regulate the procedure for investigating the misbehavior or incapacity of the aforesaid Presiding Officer.

STAFF OF CYBER APPELLATE TRIBUNAL

The Central government shall provide the Tribunal with such officers and employees as the government may think fit The officers can discharge their duties under the supervision of the Presiding Officer. The salaries, allowances and other conditions of service shall be prescribed by the Central Government

APPEAL TO CYBER APPELLATE TRIBUNAL

Any person aggrieved by an order made by Controller or an adjudicating officer may appeal to the Appellate Every appeal shall be made within forty five days from the date on which a copy of the order made by the Controller or the adjudicating officer is received by the aggrieved person. On receipt of an appeal, the Cyber Appellate Tribunal may pass orders to confirm, modify or set aside the order appealed against.

CONTD

The appellate must also send a copy of every order made by it to, the parties to the appeal and to the concerned Controller. The appeal filed before the Cyber Appellate Tribunal shall be dealt with as expeditiously as possible and endeavor shall be made by it to dispose of the appeal finally within six months.

PROCEDURES AND POWERS

The Appellate Tribunal shall have powers to regulate its own procedure including the place at which it shall have its sittings. The cyber appellate tribunal shall have, for the purposes of the act, the same powers as vested in a civil court for e.g. summoning and enforcing the attendance of any person, requiring discovery of documents etc

Every proceeding before the cyber appellate tribunal shall be deemed to be judicial.

RIGHT TO LEGAL REPRESENTATION

The appellant may either appear in person or authorize one or more legal practitioners to present his case before the Tribunal. No civil court has any jurisdiction in the proceedings that come under the purview of the Tribunal.

APPEAL TO HIGH COURT

Any person aggrieved by any decision or order of the Cyber Appellate Tribunal may file an appeal to the High Court within sixty days from the date of communication of the decision or order of the Cyber Appellate Tribunal to him on any question of fact or law arising out of such order The High Court may also, if satisfied, let the person file a case beyond that in some cases.

RECOVERY OF PENALTY

A penalty imposed under this Act, if it is not paid, shall be recovered as an arrear of land revenue and the licence or the Digital Signature Certificate, as the case may be, shall be suspended till the penalty is paid

CYBER CRIMES

CYBER CRIMES

S65 : tampering with computer source documents S66 : hacking with computer system S67 : publishing the information which is obscene in electronic form S70 : un-authorized access to protected system S72 : breach of confidentiality S73 : publishing false digital signature

FACTS RELATED TO CYBER CRIMES

According to National Crime Records Bureau India Report Cyber Crimes (IT Act + IPC Sections) increased by 22.7% in 2007 as compared to 2006 (from 453 in 2006 to 556 in 2007) Cyber Forgery 64.0% (217 out of total 339) and Cyber Fraud 21.5% (73 out of 339) were the main cases under IPC category for Cyber Crimes. 63.05 of the offenders under IT Act were in the age group 18-30 years (97 out of 154) and 55.2% of the offenders under IPC Sections were in the age group 3045 years (237 out of 429).

S65 : TAMPERING WITH SOURCE CODE

"computer source code" means the listing of programmes, computer commands, design and layout and programme analysis of computer resource in any form. Tempering occurs when someone: Conceals Destroys Alters Punishment Imprisonment upto 3 years Fine upto 2L

EXAMPLE
A big mobile services company launched a famous scheme wherein this company was giving an expensive hand-set at a very low cost but with a lock-in period of 3 years in which the mobile subscriber has to pay a fixed monthly rental and a premium call charge to such mobile services company. A special computer program / technology was used by this mobile services company wherein the hand-set can only be used with this mobile services and not with other mobile services. Employees of a completing mobile services company lured the customers of the above company to alter / tamper with the special (locking) computer program / technology so that the hand-set can be used with the competing mobile services

S66 : HACKING

Someone who is not an authentic user uses someone elses account

Hacking occurs when there is Wrongful loss Damage to the public Person destroys, deletes, alters any info or diminishes in value Punishment Imprisonment upto 3 years Fine upto 2L

EXAMPLE
Two BPO employees gained illegal access to their companys computer system by hacking with the passwords. They conspired with son of a credit card holderand illegally increased the credit limit of the card and changed the communication address so that credit card statement never reaches the original card holder. The credit card company was cheated about Rs. 7.2 laks.

S67 : PUBLISHING OF OBSCENE INFO

material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to deprave and corrupt persons who are likely to read, see or hear Punishment Imprisonment upto 5 years and fine upto 1L Imprisonment upto 10 years and fine upto 2L

EXAMPLE
Some unknown person had created an email ID using the name of a lady and had used this email ID to post messages on five Web pages describing her as a call girl along with her contact numbers

S69 : DIRECTIONS OF CONTROLLER TO

SUBSCRIBER TO DECRYPT INFORMATION

Controller can direct government agency to intercept any information transmitted through any computer source if Interest of sovereignty integrity of India the security of the State friendly relations with foreign Stales public order for preventing incitement to the commission of any cognizable offence Imprisonment upto 7 years

The subscriber or any person who fails to assist the agency referred to in sub-section

S70

(1) The appropriate Government may, by notification in the Official Gazette, declare that any computer, computer system or computer network to be a protected system. (2) The appropriate Government may, by order in writing, authorize the persons who are authorized to access protected systems notified under sub-section. (3) Any person who secures access or attempts to secure access to a protected system in contravention of the provisions of this section shall be punished with imprisonment of either description for a term which may extend to ten years and shall also be liable to fine.

S71: Penalty for misrepresentation.

Whoever makes any misrepresentation, to, or suppresses any material fact from, the Controller or the Certifying Authority for obtaining any license or Digital Signature Certificate, as the case may be, shall be punished with imprisonment for a terms which may extend to two years, or with fine which may extend to one lac rupees, or with both.

S72 : breach of confidentiality

Person having secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of a person concerned discloses the document Imprisonment upto 2 years Fine upto 1L

S73: publishing false digital signature No person can issue digital signature if The certifying authority has not issued it Subscriber in the certificate has not accepted it certificate has been suspended Imprisonment upto 2 years Fine upto 1L

LIABILITY ON NETWORK SERVICE PROVIDERS

S79 : NO LIABILITY ON NETWORK SERVICE

PROVIDERS

No person providing service as a network service provider shall be liable if he proves that the offence was committed without his knowledge Network service provider : intermediary third party information : any information dealt with by a network service provider in his capacity as an intermediary The criminal liability on the network service providers has been defined by the provisions of sub section (1) Eg: Case of issuing SIM cards through stolen Ids

MISCELLANEOUS

POWER TO ENTER, SEARCH, ETC.

Irrespective of anything contained in the Code of Criminal

Procedure, 1973.

Police officer, not below the rank of a Deputy Superintendent

of Police.

Any other officer of the Central Government or a State Government authorised by the Central Government

Public place

PUBLIC SERVANTS

The Presiding Officer Other officers and employees of a Cyber Appellate Tribunal The Controller The Deputy Controller The Assistant Controllers

POWER TO GIVE DIRECTIONS

The Central Government may give directions to any State Government.

Implementation of provisions of this Act.

PROTECTION OF ACTION TAKEN IN GOOD FAITH

No suit, prosecution or other legal proceeding Central Government, State Government The Controller, any person acting on his behalf

The Presiding Officer

Adjudicating officers The staff of the Cyber Appellate Tribunal

REMOVAL OF DIFFICULTIES

Central Government can make provisions consistent with the provisions of the Act.

No order shall be made after the expiry of 2 years from the commencement of this Act.

POWER OF CENTRAL GOVERNMENT

To carry out the provisions of this Act. Manner of authentication of Digital Signatures Method and form of filing of Electronic Records Security procedure for creating secure electronic records and secure digital signature

Terms and conditions of service of officials.

Any other matter required to be prescribed.

CONSTITUTION OF ADVISORY COMMITTEE

Cyber Regulations Advisory Committee - a Chairperson and other members.

Shall advice:

Central government regarding rules or any purpose

related to this Act. The Controller in framing regulations under this Act.

POWER OF CONTROLLER TO MAKE REGULATIONS

The Controller - after consultation with the Cyber Regulations Advisory Committee.

Previous approval of the Central Government. Make laws consistent with the Act. Maintenance of data-base containing the disclosure record of every Certifying Authority.

Statements that shall accompany an application.

POWER OF STATE GOVERNMENT

Can make rules to carry out provisions of this Act.

The electronic form in which filing, issue, grant of receipt or payment shall be effected.

Any other matter which is required to be provided by rules by

the State Government.

THANK YOU